Bug 1074432 - (CVE-2017-1000421) VUL-0: CVE-2017-1000421: gifsicle: use-after-free in the read_gif function
(CVE-2017-1000421)
VUL-0: CVE-2017-1000421: gifsicle: use-after-free in the read_gif function
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Manfred Schwarb
Security Team bot
https://smash.suse.de/issue/197517/
CVSSv3:RedHat:CVE-2017-1000421:3.3:(...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-03 08:46 UTC by Alexander Bergmann
Modified: 2018-02-05 13:53 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-01-03 08:46:23 UTC
CVE-2017-1000421

Gifsicle gifview 1.89 and older is vulnerable to a use-after-free in the
read_gif function resulting potential code execution

Upstream bug:
https://github.com/kohler/gifsicle/issues/114

Upstream fix:
https://github.com/kohler/gifsicle/commit/81fd7823f6d9c85ab598bc850e40382068361185

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000421
Comment 1 Alexander Bergmann 2018-01-03 08:49:41 UTC
Hi Martin, there is currently no maintainer assigned to gifsicle. Therefore I've took the last person who from the changes file.

Would it be possible for you to maintain this package in general?
Comment 2 Martin Pluskal 2018-01-03 09:12:35 UTC
(In reply to Alexander Bergmann from comment #1)
> Hi Martin, there is currently no maintainer assigned to gifsicle. Therefore
> I've took the last person who from the changes file.
https://build.opensuse.org/package/view_file/graphics/gifsicle/gifsicle.changes?expand=1
Comment 3 Alexander Bergmann 2018-01-03 15:08:00 UTC
(In reply to Martin Pluskal from comment #2)
> https://build.opensuse.org/package/view_file/graphics/gifsicle/gifsicle.changes?expand=1

Factory first. Thanks. ;)
Comment 4 Manfred Schwarb 2018-01-03 21:37:59 UTC
The fix is also in Factory / Tumbleweed, since 3 months.
And some more are on the way atm.

How is the workflow to escalate it to Leap?
Comment 5 Alexander Bergmann 2018-01-04 15:44:02 UTC
Hi Manfred,

you need to hand in maintenance submissions. Usually a mbranch should be enough to check out all maintained gifsicle versions, but it's also possible to use a simple branch and fix it there.

After you've fixed/updated the package you can simply hand in the update as a maintenancerequest (mr).

Thanks,
Alex~
Comment 7 Marcus Meissner 2018-01-15 10:48:22 UTC
released