Bugzilla – Bug 960319
VUL-0: CVE-2015-7555: giflib: Heap-based buffer overflow in giffix utility
Last modified: 2016-01-29 22:11:56 UTC
rh#1290785 A heap-based buffer overflow vulnerability was found in giffix utility of giflib when processing records of the type `IMAGE_DESC_RECORD_TYPE' due to the allocated size of `LineBuffer' equaling the value of the logical screen width, `GifFileIn->SWidth', while subsequently having `GifFileIn->Image.Width' bytes of data written to it. Vulnerable code: giflib-5.1.1/util/giffix.c #35..194: | int main(int argc, char **argv) | { | [...] | if ((LineBuffer = (GifRowType) malloc(GifFileIn->SWidth)) == NULL) | GIF_EXIT("Failed to allocate memory required, aborted."); | | /* Scan the content of the GIF file and load the image(s) in: */ | do { | [...] | switch (RecordType) { | case IMAGE_DESC_RECORD_TYPE: | if (DGifGetImageDesc(GifFileIn) == GIF_ERROR) | QuitGifError(GifFileIn, GifFileOut); | [...] | Width = GifFileIn->Image.Width; | Height = GifFileIn->Image.Height; | [...] | /* Find the darkest color in color map to use as a filler. */ | ColorMap = (GifFileIn->Image.ColorMap ? GifFileIn->Image.ColorMap : | GifFileIn->SColorMap); | for (i = 0; i < ColorMap->ColorCount; i++) { | j = ((int) ColorMap->Colors[i].Red) * 30 + | ((int) ColorMap->Colors[i].Green) * 59 + | ((int) ColorMap->Colors[i].Blue) * 11; | if (j < ColorIntens) { | ColorIntens = j; | DarkestColor = i; | } | } | | /* Load the image, and dump it. */ | for (i = 0; i < Height; i++) { | GifQprintf("\b\b\b\b%-4d", i); | if (DGifGetLine(GifFileIn, LineBuffer, Width) | == GIF_ERROR) break; | if (EGifPutLine(GifFileOut, LineBuffer, Width) | == GIF_ERROR) QuitGifError(GifFileIn, GifFileOut); | } | | if (i < Height) { | [...] | /* Fill in with the darkest color in color map. */ | for (j = 0; j < Width; j++) | LineBuffer[j] = DarkestColor; | for (; i < Height; i++) | if (EGifPutLine(GifFileOut, LineBuffer, Width) | == GIF_ERROR) QuitGifError(GifFileIn, GifFileOut); | } | break; | [...] | } | } | while (RecordType != TERMINATE_RECORD_TYPE); | [..] | } References: https://bugzilla.redhat.com/show_bug.cgi?id=1290785 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7555 http://seclists.org/oss-sec/2015/q4/548 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7555
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as "moderate". Please submit fixed packages until "Jan. 19, 2016". When done, reassign the bug to "security-team@suse.de". /update/121225/.
An update workflow for this issue was started. This issue was rated as "moderate". Please submit fixed packages until "Jan. 19, 2016". When done, reassign the bug to "security-team@suse.de". /update/62407/.
This is an autogenerated message for OBS integration: This bug (960319) was mentioned in https://build.opensuse.org/request/show/354774 Factory / giflib https://build.opensuse.org/request/show/354779 13.2 / giflib https://build.opensuse.org/request/show/354781 13.1 / giflib
All submissions received, re-assigning to security team.
SUSE-SU-2016:0192-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 960319 CVE References: CVE-2015-7555 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): giflib-4.1.6-13.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): giflib-4.1.6-13.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): giflib-4.1.6-13.1 SUSE Linux Enterprise Server 11-SP4 (src): giflib-4.1.6-13.1 SUSE Linux Enterprise Server 11-SP3 (src): giflib-4.1.6-13.1 SUSE Linux Enterprise Desktop 11-SP4 (src): giflib-4.1.6-13.1 SUSE Linux Enterprise Desktop 11-SP3 (src): giflib-4.1.6-13.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): giflib-4.1.6-13.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): giflib-4.1.6-13.1
openSUSE-SU-2016:0201-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 949160,960319 CVE References: CVE-2015-7555 Sources used: openSUSE 13.2 (src): giflib-5.0.5-4.3.1
SUSE-SU-2016:0202-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 949160,960319 CVE References: CVE-2015-7555 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): giflib-5.0.5-7.1 SUSE Linux Enterprise Software Development Kit 12 (src): giflib-5.0.5-7.1 SUSE Linux Enterprise Server 12-SP1 (src): giflib-5.0.5-7.1 SUSE Linux Enterprise Server 12 (src): giflib-5.0.5-7.1 SUSE Linux Enterprise Desktop 12-SP1 (src): giflib-5.0.5-7.1 SUSE Linux Enterprise Desktop 12 (src): giflib-5.0.5-7.1
openSUSE-SU-2016:0207-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 949160,960319 CVE References: CVE-2015-7555 Sources used: openSUSE 13.1 (src): giflib-5.0.5-2.3.1
done
openSUSE-SU-2016:0289-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 949160,960319 CVE References: CVE-2015-7555 Sources used: openSUSE Leap 42.1 (src): giflib-5.0.5-7.1