giflib appears to have a terrible security profile: * bug 785664 * bug 851945 * bug 918539 In the latest upstream release, they indicated that they aren't interested in any sort of bug reports on invalid input. Please consider, if appropriate, either dropping USE=gif support, package.use.masking it, or perhaps disabling it by default via package.use (given the desktop profiles enable USE=gif by default). If this package is expected to only interact with trusted gifs or you feel it's critical to the functionality of this package, feel free to close as WONTFIX. Thanks. If you're not sure, consider raising this with upstream of this package to see what they suggest.
NRK raises a fair point at https://bugs.gentoo.org/933166#c2 -- the reported vulnerabilities are in giflib's utilities. As I write there, I'm suspicious about how robust giflib is, but maybe I panicked a bit. I still think we should reduce unnecessary use though.