Bug 963796 - (CVE-2014-9762) VUL-1: CVE-2014-9762: imlib2: Segmentation fault on images without colormap
(CVE-2014-9762)
VUL-1: CVE-2014-9762: imlib2: Segmentation fault on images without colormap
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/161231/
CVSSv2:SUSE:CVE-2014-9762:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-27 14:29 UTC by Johannes Segitz
Modified: 2020-06-18 02:31 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-01-28 23:01:47 UTC
bugbot adjusting priority
Comment 2 Simon Lees 2016-04-03 04:34:22 UTC
These issues CVE-2014-9763 CVE-2014-9764 CVE-2014-9762 are all related to handling with giflib they also effect efl/evas in openSUSE (All supported releases). Upstream also recommends updating to 5.1.4 of giflib. I'm happy to do the imlib2 / evas fixes. 

Original bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785369

giflib bug report: https://sourceforge.net/p/giflib/bugs/94/
giflib fix: https://sourceforge.net/p/giflib/code/ci/cb88511b50621233ae93858ba38f004726d1bc5d/

evas / efl upstream fix commits:
dd90b6afadf706aafec9e53a6b1efa8f899ab277
f56e33f429cfc165a5a7e7c75c5b2271ba8b58d8

Upstream Mailing list threads (don't ask why there are 4):
https://www.mail-archive.com/enlightenment-devel@lists.sourceforge.net/msg80456.html
https://www.mail-archive.com/enlightenment-devel@lists.sourceforge.net/msg80454.html
https://www.mail-archive.com/enlightenment-devel@lists.sourceforge.net/msg80444.html
Comment 3 Simon Lees 2016-04-03 22:38:49 UTC
My mistake, the issues I raised seem new, I'll create a new ticket but fix these at the same time.
Comment 4 Simon Lees 2016-04-04 00:58:17 UTC
This issue also effects evas as part of the efl in openSUSE.

Fix: https://git.enlightenment.org/core/efl.git/commit/?id=dd90b6afadf706aafec9e53a6b1efa8f899ab277
Comment 5 Simon Lees 2016-04-04 01:42:15 UTC
The series of patches in bsc#973759 supersedes and reverts this patch. As such no action is required in SLE (the evas patch still needs to be applied in openSUSE)
Comment 6 Swamp Workflow Management 2016-05-18 12:12:27 UTC
openSUSE-SU-2016:1330-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 963796,963797,963800,973759,973761,974202,974854,975703
CVE References: CVE-2011-5326,CVE-2014-9762,CVE-2014-9763,CVE-2014-9764,CVE-2014-9771,CVE-2016-3993,CVE-2016-3994,CVE-2016-4024
Sources used:
openSUSE 13.2 (src):    imlib2-1.4.9-17.4.1
Comment 7 Marcus Meissner 2017-06-15 21:29:34 UTC
released
Comment 8 Swamp Workflow Management 2018-03-27 23:40:26 UTC
This is an autogenerated message for OBS integration:
This bug (963796) was mentioned in
https://build.opensuse.org/request/show/591766 15.0 / efl