Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 933163

Summary: [Tracker] Drop (possibly-)unnecessary use of unsafe media-libs/giflib where exposed to untrusted input
Product: Gentoo Linux Reporter: Sam James <sam>
Component: Current packagesAssignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed>
Status: CONFIRMED ---    
Severity: normal Keywords: Tracker
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=785664
https://bugs.gentoo.org/show_bug.cgi?id=851945
https://bugs.gentoo.org/show_bug.cgi?id=918539
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 933161, 933162, 933164, 933165, 933166, 933167, 933160    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-05-30 04:12:19 UTC 
giflib appears to have a terrible security profile:
* bug 785664 	
* bug 851945
* bug 918539

In the latest upstream release, they indicated that they aren't interested in any sort of bug reports on invalid input.

Please consider, if appropriate, either dropping USE=gif support, package.use.masking it, or perhaps disabling it by default via package.use (given the desktop profiles enable USE=gif by default).

If this package is expected to only interact with trusted gifs or you feel it's critical to the functionality of this package, feel free to close as WONTFIX. Thanks.

If you're not sure, consider raising this with upstream of this package to see what they suggest.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-05-30 05:24:22 UTC 
NRK raises a fair point at https://bugs.gentoo.org/933166#c2 -- the reported vulnerabilities are in giflib's utilities. As I write there, I'm suspicious about how robust giflib is, but maybe I panicked a bit.

I still think we should reduce unnecessary use though.