109997 – media-libs/giflib: buffer overflow / null pointer deref

Bug 109997 - media-libs/giflib: buffer overflow / null pointer deref

Summary: media-libs/giflib: buffer overflow / null pointer deref

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major
Assignee:	Gentoo Security

URL:
Whiteboard:	A2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2005-10-21 01:17 UTC by Thierry Carrez (RETIRED)
Modified:	2005-11-20 02:14 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thierry Carrez (RETIRED) gentoo-dev

2005-10-21 01:17:32 UTC

Chris Evans discovered that libungif 4.1.4 fixed potentially sensitive issues
that may be used to execute arbitrary code.

These issues were initially discovered by Daniel Eisenbud and silently fixed in
4.1.4.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-10-21 01:20:57 UTC

Mamoru: this is a semi-public issue, could you silently add 4.1.4 to the tree so
that we are ready to disclose it by the coordinated date (2005/10/28, 1400 UTC)

Comment 2 SpanKY gentoo-dev

2005-10-21 06:50:15 UTC

libungif is dead

only giflib should be updated and libungif should be masked

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-10-21 08:49:21 UTC

Release date is now set to 2005/11/03

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-10-28 00:37:51 UTC

CVE Ids :
CVE-2005-2974 libungif NULL pointer deref
CVE-2005-3350 libungif OOB access

usata/vapier: please bump

Comment 5 SpanKY gentoo-dev

2005-10-28 16:12:56 UTC

giflib-4.1.4 now in portage

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2005-10-29 02:29:55 UTC

Ccing security liaisons...
Please test and mark 4.1.4 stable, so that's the ebuild is ready at GLSA release
time.

Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-10-29 08:55:52 UTC

Stable on ppc and hppa.

Comment 8 Bryan Østergaard (RETIRED) gentoo-dev

2005-10-29 12:53:56 UTC

Stable on alpha.

Comment 9 Simon Stelling (RETIRED) gentoo-dev

2005-10-30 02:53:24 UTC

amd64 stable

Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev

2005-10-31 07:21:27 UTC

sparc stable.

Comment 11 Brent Baude (RETIRED) gentoo-dev

2005-10-31 07:45:23 UTC

Marked ppc64 stable (and urt)

Comment 12 Thierry Carrez (RETIRED) gentoo-dev

2005-11-03 02:53:58 UTC

Adding halcyon to handle x86 stable marking.

Comment 13 Mark Loeser (RETIRED) gentoo-dev

2005-11-03 11:56:03 UTC

x86 stable

Comment 14 Thierry Carrez (RETIRED) gentoo-dev

2005-11-04 00:32:48 UTC

Embargo ended, ready to send.

Comment 15 Thierry Carrez (RETIRED) gentoo-dev

2005-11-04 00:44:26 UTC

mips should mark giflib-4.1.4 ~
ppc-macos should test and mark giflib-4.1.4 stable

Comment 16 Thierry Carrez (RETIRED) gentoo-dev

2005-11-04 00:45:05 UTC

Hm. in fact mips should even test and mark stable.

Comment 17 Fabian Groffen gentoo-dev

2005-11-04 02:39:30 UTC

I had to stable the follow packages to stable giflib-4.1.4:
urt-3.1b-r1
ghostscript-7.07.1-r10
media-fonts/gnu-gs-fonts-std-8.11

Note: I encountered bug #111455 but ignored it for now and stabled giflib.

Comment 18 Thierry Carrez (RETIRED) gentoo-dev

2005-11-04 04:34:10 UTC

GLSA 200511-03
mips should mark stable to benefit from GLSA

Comment 19 Hardave Riar (RETIRED) gentoo-dev

2005-11-20 02:14:59 UTC

Stable on mips.