Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 195612

Summary: dev-lang/tk <= 8.4.12 Buffer Overflow Vulnerability (CVE-2007-5378)
Product: Gentoo Security Reporter: Tobias Heinlein (RETIRED) <keytoaster>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor CC: tcltk
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceforge.net/tracker/?func=detail&atid=112997&aid=1458234&group_id=12997
Whiteboard: B3 [ebuild]
Package list:
Runtime testing required: ---
Bug Depends on: 178320    
Bug Blocks:    

Description Tobias Heinlein (RETIRED) gentoo-dev 2007-10-12 12:21:00 UTC 
CVE-2007-5378 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5378):
  Buffer overflow in the FileReadGIF function in tkImgGIF.c for Tk Toolkit
  8.4.12 and earlier, and 8.3.5 and earlier, allows user-assisted attackers to
  cause a denial of service (segmentation fault) via an animated GIF in which
  the first subimage is smaller than a subsequent subimage, which triggers the
  overflow in the ReadImage function, a different vulnerability than
  CVE-2007-5137.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2007-10-12 12:27:29 UTC 
A version greater than 8.4.12 is already stable (for all archs but mips), but there may still be users running a vulnerable version.
Tcltk, is it possible to remove 8.4.9 from the tree and to stabilise 8.4.16[-r1] on mips? Please advise.
Comment 2 MATSUU Takuto (RETIRED) gentoo-dev 2007-10-14 07:30:47 UTC 
I'm waiting to remove old versions in Bug #178320.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-11-12 02:38:04 UTC 
Having insecure versions besides the secure ones is not a security issue, and mips is not supported.

Closing, feel free to reopen if you disagree.