1212645 – (CVE-2023-36193) VUL-0: CVE-2023-36193: gifsicle: heap buffer overflow via the ambiguity_error component at /src/clp.c

Bug 1212645 (CVE-2023-36193) - VUL-0: CVE-2023-36193: gifsicle: heap buffer overflow via the ambiguity_error component at /src/clp.c

Summary: VUL-0: CVE-2023-36193: gifsicle: heap buffer overflow via the ambiguity_error...

Status:	RESOLVED FIXED

Alias:	CVE-2023-36193

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Manfred Schwarb
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/370252/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-06-23 09:39 UTC by Cathy Hu
Modified:	2023-06-29 19:04 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Cathy Hu 2023-06-23 09:39:23 UTC

CVE-2023-36193

Gifsicle v1.9.3 was discovered to contain a heap buffer overflow via the
ambiguity_error component at /src/clp.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-36193
https://www.cve.org/CVERecord?id=CVE-2023-36193
https://github.com/kohler/gifsicle/issues/191

Comment 1 Cathy Hu 2023-06-23 09:40:44 UTC

We have gifsicle here:
- openSUSE:Backports:SLE-15-SP4/gifsicle  1.93 
- openSUSE:Factory/gifsicle               1.93

Comment 2 Manfred Schwarb 2023-06-23 10:01:05 UTC

I contacted upstream to do a new release.
Stay tuned.

Comment 3 OBSbugzilla Bot 2023-06-24 22:25:02 UTC

This is an autogenerated message for OBS integration:
This bug (1212645) was mentioned in
https://build.opensuse.org/request/show/1095159 Backports:SLE-15-SP4+Backports:SLE-15-SP5 / gifsicle

Comment 4 Marcus Meissner 2023-06-27 07:36:54 UTC

issue seems a buffer overread (not overwrite).

Comment 5 Marcus Meissner 2023-06-29 16:06:08 UTC

openSUSE-SU-2023:0160-1: An update that fixes one vulnerability is now available.\n\nCategory: security (important)\nBug References: 1212645\nCVE References: CVE-2023-36193\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP5 (src):    gifsicle-1.94-bp155.3.3.1\nopenSUSE Backports SLE-15-SP4 (src):    gifsicle-1.94-bp154.2.3.1\n\n

Comment 6 Manfred Schwarb 2023-06-29 19:04:25 UTC

Done.