Bug 25373 - giflib new security issue CVE-2019-15133
Summary: giflib new security issue CVE-2019-15133
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-28 22:32 CEST by David Walser
Modified: 2019-09-06 23:11 CEST (History)
5 users (show)

See Also:
Source RPM: giflib-5.1.6-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-08-28 22:32:02 CEST 
Ubuntu has issued an advisory on August 20:
https://usn.ubuntu.com/4107-1/

The issue was fixed upstream in 5.1.8.
David Walser 2019-08-28 22:42:29 CEST

CC: (none) => geiger.david68210

Comment 1 David GEIGER 2019-08-29 06:48:18 CEST 
Done!
Comment 2 David Walser 2019-08-29 13:12:37 CEST 
Advisory:
========================

Updated giflib packages fix security vulnerability:

In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero
exception in the decoder function DGifSlurp in dgif_lib.c if the height field
of the ImageSize data structure is equal to zero (CVE-2019-15133).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15133
https://usn.ubuntu.com/4107-1/
========================

Updated packages in core/updates_testing:
========================
giflib-progs-5.1.8-1.mga6
libgif7-5.1.8-1.mga6
libgif-devel-5.1.8-1.mga6

from giflib-5.1.8-1.mga6.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 Len Lawrence 2019-08-30 01:01:44 CEST 
mga6, x86_64

CVE-2019-15133
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13008
This link does not help much.  There is a reproducer but it only works in the context of the OSS-fuzz system which might need an expert to set up.  If handled correctly it would cause a floating point exception.

In which case we might as well go straight to the updates.

Clean update.

General information at http://giflib.sourceforge.net/intro.html
https://sourceforge.net/p/giflib/code/ci/master/tree/NEWS
This news link refers to a newer version but may help to indicate which of the /bin/gif* utilities are associated with giflib.  There is probably a neat way to obtain that information (?).

These we have:
gif2rgb
giffilter
gifsponge
gifbuild
gifecho
giffix
gifinto
gifsponge
giftool
giffilter
giftext
gifclrmp

These we do not:
gif2raw, gifrotate, gifbg, gifcolor, gifhisto, gifwedge

$ ls /bin/gif*
/bin/gif2png*   /bin/gifdiff*    /bin/gifinto*    /bin/giftogd2*  /bin/gifview*
/bin/gif2rgb*   /bin/gifecho*    /bin/gifsicle*   /bin/giftool*
/bin/gifbuild*  /bin/giffilter*  /bin/gifsponge*  /bin/giftopnm*
/bin/gifclrmp*  /bin/giffix*     /bin/giftext*    /bin/giftrans*

giftool is a filter which is very difficult to use because the documentation does not give concrete examples but referring to a previous bug this invocation worked:

$ giftool -f "%v\n%w x %h\n" < mcam_cre_short_oncomingstorm.gif
GIF89a
985 x 739
[...]
GIF89a
985 x 739

Display global colour map from multi-image GIF file.
$ giftext -c < Jupiter_2207_pia22694.gif
	Screen Size - Width = 960, Height = 960.
	ColorResolution = 7, BitsPerPixel = 8, BackGround = 255, Aspect = 0.
	Has Global Color Map.
	Global Color Map:
	Sort Flag: off
  0: 00h 01h 00h     1: 07h 0fh 15h     2: 16h 0fh 06h     3: 0eh 16h 25h   
  4: 02h 18h 37h     5: 23h 19h 21h     6: 0eh 1fh 2ah     7: 12h 22h 17h   
[...]
GIF89 application block (Ext Code = 255 [ ]):
GIF89 comment (Ext Code = 254 [ ]):
00000:  4                                                 Created with GIM 
GIF89 graphics control (Ext Code = 249 [ ]):
	Disposal Mode: 1
	User Input Flag: 0
	Transparency on: no
	DelayTime: 200
	Transparent Index: -1
Image #1:
	Image Size - Left = 0, Top = 0, Width = 960, Height = 960.
	Image is Non Interlaced.
	No Image Color Map.

Another way to extract clour map information:
$ gifclrmp -s < Tatiana.gif > colourmap.txt
$ less colourmap.txt
  0   4   4   4
  1   5   6  10
  2   6   9  12
  3  11   5   2
  4   9   7  10
[...]
252 243 239 237
253 222 225 231
254 182 195 191
255 121 129 127

Make a copy of an image with a high value of gamma.
$ gifclrmp -g 2.8 < Tatiana.gif > brighter.gif

Generate a text image, blue text on black background.
$ gifecho -c 144 187 229 -t "QA needs YOU!" > recruit.gif

Generate binary 256-bit RGB files from input file.
$ gif2rgb -c 8 -o test Tatiana.gif
$ ll test*
-rw-r--r-- 1 lcl lcl 821880 Aug 29 23:27 test.B
-rw-r--r-- 1 lcl lcl 821880 Aug 29 23:27 test.G
-rw-r--r-- 1 lcl lcl 821880 Aug 29 23:27 test.R

$ identify Tatiana.gif 
Tatiana.gif GIF 1080x761 1080x761+0+0 8-bit sRGB 256c 555605B 0.000u 0:00.000
$ gif2rgb -c 8 -s 1080 761 -o image < test.R 
gif2rgb: Input file(s) terminated prematurly.

It is not clear why this fails.  Only one input file is expected and the man page indicates that it should contain RGB data which probably means that the RGB files need to be catenated somehow to look like the global colourmap.  The documentation is somewhat sparse.  One would assume that it would be possible to make an image in a single colour.

Not sure what to make of this.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2019-09-02 11:31:33 CEST 
The preceding tests are good enough to push this on for 64bits.

Whiteboard: (none) => MGA6-64-OK

Comment 5 Thomas Andrews 2019-09-05 05:00:35 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-09-06 19:32:16 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2019-09-06 23:11:26 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0252.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.