785664 – (CVE-2020-23922, CVE-2022-28506, CVE-2023-39742) <media-libs/giflib-5.2.2: multiple vulnerabilities

Bug 785664 (CVE-2020-23922, CVE-2022-28506, CVE-2023-39742) - <media-libs/giflib-5.2.2: multiple vulnerabilities

Summary: <media-libs/giflib-5.2.2: multiple vulnerabilities

Status:	IN_PROGRESS

Alias:	CVE-2020-23922, CVE-2022-28506, CVE-2023-39742

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://sourceforge.net/p/giflib/bugs...
Whiteboard:	B3 [stable?]
Keywords:

Depends on:
Blocks:

Reported:	2021-04-25 17:24 UTC by Sam James
Modified:	2024-05-30 04:13 UTC (History)
CC List:	2 users (show)

See Also:	933163
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-04-25 17:24:42 UTC

Description:
"An issue was discovered in giflib through 5.1.4. DumpScreen2RGB in gif2rgb.c has a heap-based buffer over-read."

Bug: https://sourceforge.net/p/giflib/bugs/151/

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:22:45 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:31:03 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:39:00 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:47:09 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 18:03:06 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:11:24 UTC

Package list is empty or all packages have requested keywords.

Comment 7 John Helmert III archtester

2022-04-26 00:08:20 UTC

CVE-2022-28506:

There is a heap-buffer-overflow in GIFLIB 5.2.1 function DumpScreen2RGB() in gif2rgb.c:298:45.

Comment 8 Allen Webb 2023-10-10 14:41:59 UTC

CVE-2023-39742
"""
giflib v5.2.1 was discovered to contain a segmentation fault via the component getarg.c.
"""
https://nvd.nist.gov/vuln/detail/CVE-2023-39742

Comment 9 Sam James archtester

2024-05-30 03:32:39 UTC

5.2.1 vs 5.2.2:

+<refsect1><title>Bugs</title>
+
+<para>Feeding this utility a GIF with an invalid colormap, or other
+kinds of malformations, index will produce invalid output and may
+core-dump the tool. Don't do that.</para>
+
+</refsect1>

Comment 10 Larry the Git Cow gentoo-dev

2024-05-30 03:54:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=033629cddfc22d7bcead70daa7b6eaa76f0bc623

commit 033629cddfc22d7bcead70daa7b6eaa76f0bc623
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-05-30 03:50:58 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-05-30 03:53:53 +0000

    media-libs/giflib: add 5.2.2
    
    The release notes mention CVE-2023-48161 and CVE-2022-28506 by CVE but
    there's a bunch of other security fixes in the list of fixes.
    
    The documentation in this release also adds:
    """
    +<refsect1><title>Bugs</title>
    +
    +<para>Feeding this utility a GIF with an invalid colormap, or other
    +kinds of malformations, index will produce invalid output and may
    +core-dump the tool. Don't do that.</para>
    +
    +</refsect1>
    """
    
    Anyway, on the ebuild side:
    * Replace Makefile patch for doc building conditionally with a sed
    * Make tests more verbose (needed it when debugging bug #848807)
    * Cleanup reallocarray hack (bug #677956)
    * Add LFS support (bug #915316)
    
    Bug: https://bugs.gentoo.org/677956
    Bug: https://bugs.gentoo.org/785664
    Bug: https://bugs.gentoo.org/851945
    Bug: https://bugs.gentoo.org/918539
    Closes: https://bugs.gentoo.org/848807
    Closes: https://bugs.gentoo.org/915316
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/giflib/Manifest                         |  1 +
 media-libs/giflib/files/giflib-5.2.2-fortify.patch | 27 ++++++++
 .../giflib/files/giflib-5.2.2-verbose-tests.patch  | 74 +++++++++++++++++++++
 media-libs/giflib/giflib-5.2.2.ebuild              | 76 ++++++++++++++++++++++
 4 files changed, 178 insertions(+)