Bug 1074432 (CVE-2017-1000421)

Summary:	VUL-0: CVE-2017-1000421: gifsicle: use-after-free in the read_gif function
Product:	[openSUSE] openSUSE Distribution	Reporter:	Alexander Bergmann <abergmann>
Component:	Security	Assignee:	Manfred Schwarb <manfred99>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	abergmann, astieger
Version:	Leap 42.3
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/197517/
Whiteboard:	CVSSv3:RedHat:CVE-2017-1000421:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv2:NVD:CVE-2017-1000421:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv3:RedHat:CVE-2017-18120:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:RedHat:CVE-2017-1000421:7.0:(AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Alexander Bergmann 2018-01-03 08:46:23 UTC

CVE-2017-1000421

Gifsicle gifview 1.89 and older is vulnerable to a use-after-free in the
read_gif function resulting potential code execution

Upstream bug:
https://github.com/kohler/gifsicle/issues/114

Upstream fix:
https://github.com/kohler/gifsicle/commit/81fd7823f6d9c85ab598bc850e40382068361185

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000421

Comment 1 Alexander Bergmann 2018-01-03 08:49:41 UTC

Hi Martin, there is currently no maintainer assigned to gifsicle. Therefore I've took the last person who from the changes file.

Would it be possible for you to maintain this package in general?

Comment 2 Martin Pluskal 2018-01-03 09:12:35 UTC

(In reply to Alexander Bergmann from comment #1)
> Hi Martin, there is currently no maintainer assigned to gifsicle. Therefore
> I've took the last person who from the changes file.
https://build.opensuse.org/package/view_file/graphics/gifsicle/gifsicle.changes?expand=1

Comment 3 Alexander Bergmann 2018-01-03 15:08:00 UTC

(In reply to Martin Pluskal from comment #2)
> https://build.opensuse.org/package/view_file/graphics/gifsicle/gifsicle.changes?expand=1

Factory first. Thanks. ;)

Comment 4 Manfred Schwarb 2018-01-03 21:37:59 UTC

The fix is also in Factory / Tumbleweed, since 3 months.
And some more are on the way atm.

How is the workflow to escalate it to Leap?

Comment 5 Alexander Bergmann 2018-01-04 15:44:02 UTC

Hi Manfred,

you need to hand in maintenance submissions. Usually a mbranch should be enough to check out all maintained gifsicle versions, but it's also possible to use a simple branch and fix it there.

After you've fixed/updated the package you can simply hand in the update as a maintenancerequest (mr).

Thanks,
Alex~

Comment 6 Andreas Stieger 2018-01-09 17:06:33 UTC

https://build.opensuse.org/request/show/563102
https://build.opensuse.org/request/show/563103

Comment 7 Marcus Meissner 2018-01-15 10:48:22 UTC

released