Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918539 (CVE-2023-48161) - media-libs/giflib: buffer overflow
Summary: media-libs/giflib: buffer overflow
Status: UNCONFIRMED
Alias: CVE-2023-48161
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-25 17:40 UTC by Christopher Fore
Modified: 2024-05-30 04:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2023-11-25 17:40:53 UTC 
CVE-2023-48161 (https://github.com/tacetool/TACE#cve-2023-48161):

Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 19:39:19 UTC 
Is there an upstream report?
Comment 2 Christopher Fore 2023-11-25 19:41:42 UTC 
Yes, sorry, I wasn't sure which to use since they were both linked in the CVE

https://sourceforge.net/p/giflib/bugs/167/
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-05-30 03:32:48 UTC 
5.2.1 vs 5.2.2:

+<refsect1><title>Bugs</title>
+
+<para>Feeding this utility a GIF with an invalid colormap, or other
+kinds of malformations, index will produce invalid output and may
+core-dump the tool. Don't do that.</para>
+
+</refsect1>
Comment 4 Larry the Git Cow gentoo-dev 2024-05-30 03:54:16 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=033629cddfc22d7bcead70daa7b6eaa76f0bc623

commit 033629cddfc22d7bcead70daa7b6eaa76f0bc623
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-05-30 03:50:58 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-05-30 03:53:53 +0000

    media-libs/giflib: add 5.2.2
    
    The release notes mention CVE-2023-48161 and CVE-2022-28506 by CVE but
    there's a bunch of other security fixes in the list of fixes.
    
    The documentation in this release also adds:
    """
    +<refsect1><title>Bugs</title>
    +
    +<para>Feeding this utility a GIF with an invalid colormap, or other
    +kinds of malformations, index will produce invalid output and may
    +core-dump the tool. Don't do that.</para>
    +
    +</refsect1>
    """
    
    Anyway, on the ebuild side:
    * Replace Makefile patch for doc building conditionally with a sed
    * Make tests more verbose (needed it when debugging bug #848807)
    * Cleanup reallocarray hack (bug #677956)
    * Add LFS support (bug #915316)
    
    Bug: https://bugs.gentoo.org/677956
    Bug: https://bugs.gentoo.org/785664
    Bug: https://bugs.gentoo.org/851945
    Bug: https://bugs.gentoo.org/918539
    Closes: https://bugs.gentoo.org/848807
    Closes: https://bugs.gentoo.org/915316
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/giflib/Manifest                         |  1 +
 media-libs/giflib/files/giflib-5.2.2-fortify.patch | 27 ++++++++
 .../giflib/files/giflib-5.2.2-verbose-tests.patch  | 74 +++++++++++++++++++++
 media-libs/giflib/giflib-5.2.2.ebuild              | 76 ++++++++++++++++++++++
 4 files changed, 178 insertions(+)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-05-30 03:56:15 UTC 
This one does NOT seem fixed: https://sourceforge.net/p/giflib/bugs/167/#215e.