Bug 1074432 (CVE-2017-1000421)

Summary: VUL-0: CVE-2017-1000421: gifsicle: use-after-free in the read_gif function
Product: [openSUSE] openSUSE Distribution Reporter: Alexander Bergmann <abergmann>
Component: SecurityAssignee: Manfred Schwarb <manfred99>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, astieger
Version: Leap 42.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/197517/
Whiteboard: CVSSv3:RedHat:CVE-2017-1000421:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv2:NVD:CVE-2017-1000421:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv3:RedHat:CVE-2017-18120:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:RedHat:CVE-2017-1000421:7.0:(AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2018-01-03 08:46:23 UTC
CVE-2017-1000421

Gifsicle gifview 1.89 and older is vulnerable to a use-after-free in the
read_gif function resulting potential code execution

Upstream bug:
https://github.com/kohler/gifsicle/issues/114

Upstream fix:
https://github.com/kohler/gifsicle/commit/81fd7823f6d9c85ab598bc850e40382068361185

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000421
Comment 1 Alexander Bergmann 2018-01-03 08:49:41 UTC
Hi Martin, there is currently no maintainer assigned to gifsicle. Therefore I've took the last person who from the changes file.

Would it be possible for you to maintain this package in general?
Comment 2 Martin Pluskal 2018-01-03 09:12:35 UTC
(In reply to Alexander Bergmann from comment #1)
> Hi Martin, there is currently no maintainer assigned to gifsicle. Therefore
> I've took the last person who from the changes file.
https://build.opensuse.org/package/view_file/graphics/gifsicle/gifsicle.changes?expand=1
Comment 3 Alexander Bergmann 2018-01-03 15:08:00 UTC
(In reply to Martin Pluskal from comment #2)
> https://build.opensuse.org/package/view_file/graphics/gifsicle/gifsicle.changes?expand=1

Factory first. Thanks. ;)
Comment 4 Manfred Schwarb 2018-01-03 21:37:59 UTC
The fix is also in Factory / Tumbleweed, since 3 months.
And some more are on the way atm.

How is the workflow to escalate it to Leap?
Comment 5 Alexander Bergmann 2018-01-04 15:44:02 UTC
Hi Manfred,

you need to hand in maintenance submissions. Usually a mbranch should be enough to check out all maintained gifsicle versions, but it's also possible to use a simple branch and fix it there.

After you've fixed/updated the package you can simply hand in the update as a maintenancerequest (mr).

Thanks,
Alex~
Comment 7 Marcus Meissner 2018-01-15 10:48:22 UTC
released