openSUSE has issued an advisory today (September 13): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7LT4ZGSUVTVP4M6DZMXIWJ67JSPE3CZI/ The issue is fixed upstream in 1.93: http://www.lcdf.org/gifsicle/changes.html Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
'gifsicle' has no listed maintainer, and has been committed by various packagers, so no choice but to assign this update globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability on certain resize operations with ‘--resize-method=box’. References: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7LT4ZGSUVTVP4M6DZMXIWJ67JSPE3CZI/ http://www.lcdf.org/gifsicle/changes.html ======================== Updated package in core/updates_testing: ======================== gifsicle-1.93-1.mga8 from SRPM: gifsicle-1.93-1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)CC: (none) => nicolas.salguero
MGA8-64 Plasma on Lenovo B50 No installation issues. Ref bug 23134 for testing and did some reading on the commands. $ gifsicle --flip-h < P5211854.gif > P5flipped.gif both the original and flipped images display ccorrectly with gifview and gwenview. Then trying to understand it $ gifdiff -h ‘Gifdiff’ compares two GIF files (either images or animations) for identical visual appearance. An animation and an optimized version of the same animation should compare as the same. Gifdiff exits with status 0 if the images are the same, 1 if they’re different, and 2 if there was some error. then $ gifdiff P5211854.gif P5flipped.gif frame #0 pixels differ: 0,0 <#2A4540 >#071215 and no more. Is it so cleaver to detect that the images are essentially the same??? Cann't find anything drastically wrong, so OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
mga8, x86_64. No PoC trail so on with update. $ gifsicle -e ThoseCats.gif Split a short animated gif into 70 frames named ThoseCats.gif.000 ... ThoseCats.gif.069. Many of those showed only the pixels which change from frame to frame. $ gifview ThoseCats.gif This presents the animation - start it with keyboard 'a' and stop at any time with 's'. $ gifsicle --color-info ThoseCats.gif * ThoseCats.gif 70 images logical screen 279x369 global color table [64] | 0: #141922 16: #B7C8E0 32: #EFEBE3 48: #000000 | 1: #2B3547 17: #BBA98E 33: #E4E9F0 49: #000000 [...] | 15: #AB9A88 31: #E7E5E2 47: #000000 63: #000000 background 32 loop forever + image #0 279x369 transparent 32 disposal asis delay 0.08s + image #1 277x367 at 1,1 transparent 31 disposal asis delay 0.08s [...] + image #69 277x367 at 1,1 transparent 29 disposal asis delay 0.08s Combined a number of gif frames into a single animated gif. $ gifsicle --colors 256 -m frame*.gif -o new.gif $ file new.gif new.gif: GIF image data, version 87a, 597 x 448 $ gifview --min-delay 100 new.gif 'a' started the animation. 's' paused it. 'r' at this point returned to the first frame. The frames were also viewed as a slideshow by starting gifview without a delay and left-clicking on the frame to advance. This looks good.
CC: (none) => tarazed25
Apologies to Herman. Started my tests a while ago with a long break.
Of course I can't speak for him, but it reads to me like Herman would appreciate the confirmation this time, Len. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0437.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
CVE-2020-19752 was also fixed in this update: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7H3ASG2BD4D4SAUUI6TOLUZYP2QYYHXY/ I'm not entirely certain, but it appears to be a different issue.
Summary: gifsicle new security issue fixed upstream in 1.93 => gifsicle new security issues fixed upstream in 1.93 (including CVE-2020-19752)