Summary: | <media-libs/giflib-5.2.2: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | allenwebb, codec |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://sourceforge.net/p/giflib/bugs/159/ | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=933163 https://github.com/gentoo/gentoo/pull/38973 |
||
Whiteboard: | B3 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 940108 | ||
Bug Blocks: |
Description
Sam James
2021-04-25 17:24:42 UTC
Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. CVE-2022-28506: There is a heap-buffer-overflow in GIFLIB 5.2.1 function DumpScreen2RGB() in gif2rgb.c:298:45. CVE-2023-39742 """ giflib v5.2.1 was discovered to contain a segmentation fault via the component getarg.c. """ https://nvd.nist.gov/vuln/detail/CVE-2023-39742 5.2.1 vs 5.2.2: +<refsect1><title>Bugs</title> + +<para>Feeding this utility a GIF with an invalid colormap, or other +kinds of malformations, index will produce invalid output and may +core-dump the tool. Don't do that.</para> + +</refsect1> The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=033629cddfc22d7bcead70daa7b6eaa76f0bc623 commit 033629cddfc22d7bcead70daa7b6eaa76f0bc623 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-05-30 03:50:58 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-05-30 03:53:53 +0000 media-libs/giflib: add 5.2.2 The release notes mention CVE-2023-48161 and CVE-2022-28506 by CVE but there's a bunch of other security fixes in the list of fixes. The documentation in this release also adds: """ +<refsect1><title>Bugs</title> + +<para>Feeding this utility a GIF with an invalid colormap, or other +kinds of malformations, index will produce invalid output and may +core-dump the tool. Don't do that.</para> + +</refsect1> """ Anyway, on the ebuild side: * Replace Makefile patch for doc building conditionally with a sed * Make tests more verbose (needed it when debugging bug #848807) * Cleanup reallocarray hack (bug #677956) * Add LFS support (bug #915316) Bug: https://bugs.gentoo.org/677956 Bug: https://bugs.gentoo.org/785664 Bug: https://bugs.gentoo.org/851945 Bug: https://bugs.gentoo.org/918539 Closes: https://bugs.gentoo.org/848807 Closes: https://bugs.gentoo.org/915316 Signed-off-by: Sam James <sam@gentoo.org> media-libs/giflib/Manifest | 1 + media-libs/giflib/files/giflib-5.2.2-fortify.patch | 27 ++++++++ .../giflib/files/giflib-5.2.2-verbose-tests.patch | 74 +++++++++++++++++++++ media-libs/giflib/giflib-5.2.2.ebuild | 76 ++++++++++++++++++++++ 4 files changed, 178 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a7d22a740c997631b0cb105c996cdfc408a1c53 commit 6a7d22a740c997631b0cb105c996cdfc408a1c53 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-10-13 08:29:59 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-10-13 13:51:05 +0000 media-libs/giflib: drop 5.2.1-r1 Bug: https://bugs.gentoo.org/785664 Bug: https://bugs.gentoo.org/851945 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/giflib/Manifest | 1 - media-libs/giflib/giflib-5.2.1-r1.ebuild | 76 -------------------------------- 2 files changed, 77 deletions(-) |