Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 109997

Summary: media-libs/giflib: buffer overflow / null pointer deref
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Thierry Carrez (RETIRED) gentoo-dev 2005-10-21 01:17:32 UTC 
Chris Evans discovered that libungif 4.1.4 fixed potentially sensitive issues
that may be used to execute arbitrary code.

These issues were initially discovered by Daniel Eisenbud and silently fixed in
4.1.4.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-10-21 01:20:57 UTC 
Mamoru: this is a semi-public issue, could you silently add 4.1.4 to the tree so
that we are ready to disclose it by the coordinated date (2005/10/28, 1400 UTC)
Comment 2 SpanKY gentoo-dev 2005-10-21 06:50:15 UTC 
libungif is dead

only giflib should be updated and libungif should be masked
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-10-21 08:49:21 UTC 
Release date is now set to 2005/11/03
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-10-28 00:37:51 UTC 
CVE Ids :
CVE-2005-2974 libungif NULL pointer deref
CVE-2005-3350 libungif OOB access

usata/vapier: please bump
Comment 5 SpanKY gentoo-dev 2005-10-28 16:12:56 UTC 
giflib-4.1.4 now in portage
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-10-29 02:29:55 UTC 
Ccing security liaisons...
Please test and mark 4.1.4 stable, so that's the ebuild is ready at GLSA release
time.
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-29 08:55:52 UTC 
Stable on ppc and hppa.
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2005-10-29 12:53:56 UTC 
Stable on alpha.
Comment 9 Simon Stelling (RETIRED) gentoo-dev 2005-10-30 02:53:24 UTC 
amd64 stable
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2005-10-31 07:21:27 UTC 
sparc stable.
Comment 11 Brent Baude (RETIRED) gentoo-dev 2005-10-31 07:45:23 UTC 
Marked ppc64 stable (and urt)
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-11-03 02:53:58 UTC 
Adding halcyon to handle x86 stable marking.
Comment 13 Mark Loeser (RETIRED) gentoo-dev 2005-11-03 11:56:03 UTC 
x86 stable
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-11-04 00:32:48 UTC 
Embargo ended, ready to send.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-11-04 00:44:26 UTC 
mips should mark giflib-4.1.4 ~
ppc-macos should test and mark giflib-4.1.4 stable
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-11-04 00:45:05 UTC 
Hm. in fact mips should even test and mark stable.
Comment 17 Fabian Groffen gentoo-dev 2005-11-04 02:39:30 UTC 
I had to stable the follow packages to stable giflib-4.1.4:
urt-3.1b-r1
ghostscript-7.07.1-r10
media-fonts/gnu-gs-fonts-std-8.11

Note: I encountered bug #111455 but ignored it for now and stabled giflib.
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2005-11-04 04:34:10 UTC 
GLSA 200511-03
mips should mark stable to benefit from GLSA
Comment 19 Hardave Riar (RETIRED) gentoo-dev 2005-11-20 02:14:59 UTC 
Stable on mips.