Bug 1074432 (CVE-2017-1000421)

Summary: VUL-0: CVE-2017-1000421: gifsicle: use-after-free in the read_gif function
Product: [openSUSE] openSUSE Distribution Reporter: Alexander Bergmann <abergmann>
Component: SecurityAssignee: Manfred Schwarb <manfred99>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, astieger
Version: Leap 42.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/197517/
Whiteboard: CVSSv3:RedHat:CVE-2017-1000421:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv2:NVD:CVE-2017-1000421:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv3:RedHat:CVE-2017-18120:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:RedHat:CVE-2017-1000421:7.0:(AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2018-01-03 08:46:23 UTC

Gifsicle gifview 1.89 and older is vulnerable to a use-after-free in the
read_gif function resulting potential code execution

Upstream bug:

Upstream fix:

Comment 1 Alexander Bergmann 2018-01-03 08:49:41 UTC
Hi Martin, there is currently no maintainer assigned to gifsicle. Therefore I've took the last person who from the changes file.

Would it be possible for you to maintain this package in general?
Comment 2 Martin Pluskal 2018-01-03 09:12:35 UTC
(In reply to Alexander Bergmann from comment #1)
> Hi Martin, there is currently no maintainer assigned to gifsicle. Therefore
> I've took the last person who from the changes file.
Comment 3 Alexander Bergmann 2018-01-03 15:08:00 UTC
(In reply to Martin Pluskal from comment #2)
> https://build.opensuse.org/package/view_file/graphics/gifsicle/gifsicle.changes?expand=1

Factory first. Thanks. ;)
Comment 4 Manfred Schwarb 2018-01-03 21:37:59 UTC
The fix is also in Factory / Tumbleweed, since 3 months.
And some more are on the way atm.

How is the workflow to escalate it to Leap?
Comment 5 Alexander Bergmann 2018-01-04 15:44:02 UTC
Hi Manfred,

you need to hand in maintenance submissions. Usually a mbranch should be enough to check out all maintained gifsicle versions, but it's also possible to use a simple branch and fix it there.

After you've fixed/updated the package you can simply hand in the update as a maintenancerequest (mr).

Comment 7 Marcus Meissner 2018-01-15 10:48:22 UTC