Bug 974847 – VUL-0: CVE-2016-3977: giflib: heap buffer overflow in gif2rgb

Bug 974847 - (CVE-2016-3977) VUL-0: CVE-2016-3977: giflib: heap buffer overflow in gif2rgb

(CVE-2016-3977)
Summary:	VUL-0: CVE-2016-3977: giflib: heap buffer overflow in gif2rgb

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Fridrich Strba
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/166961/
Whiteboard:	CVSSv2:RedHat:CVE-2016-3977:4.3:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-04-11 09:17 UTC by Johannes Segitz
Modified:	2022-05-06 19:17 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-04-11 09:17:36 UTC

rh#1325771

A heap buffer overflow vulnerability was found in giflib. A maliciously crafted gif file could cause the application to crash.
https://sourceforge.net/p/giflib/bugs/87/

Fix: https://sourceforge.net/p/giflib/code/ci/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1325771
http://bugs.fi/2016-03-gif2rgb.txt
http://bugs.fi/media/afl/giflib/1.gif
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3977
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3977.html

Comment 1 Swamp Workflow Management 2016-04-11 22:00:54 UTC

bugbot adjusting priority

Comment 2 Bernhard Wiedemann 2016-04-12 09:00:13 UTC

This is an autogenerated message for OBS integration:
This bug (974847) was mentioned in
https://build.opensuse.org/request/show/387897 13.2 / giflib
https://build.opensuse.org/request/show/387903 13.1 / giflib

Comment 4 Bernhard Wiedemann 2016-04-12 10:00:17 UTC

This is an autogenerated message for OBS integration:
This bug (974847) was mentioned in
https://build.opensuse.org/request/show/387921 Factory / giflib
https://build.opensuse.org/request/show/387924 13.1 / giflib
https://build.opensuse.org/request/show/387927 13.2 / giflib

Comment 7 Bernhard Wiedemann 2016-04-12 12:00:10 UTC

This is an autogenerated message for OBS integration:
This bug (974847) was mentioned in
https://build.opensuse.org/request/show/387981 13.1 / giflib

Comment 8 Bernhard Wiedemann 2016-04-12 14:00:09 UTC

This is an autogenerated message for OBS integration:
This bug (974847) was mentioned in
https://build.opensuse.org/request/show/388191 Factory / giflib

Comment 9 Swamp Workflow Management 2016-04-20 16:08:04 UTC

openSUSE-SU-2016:1111-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 974847
CVE References: CVE-2016-3977
Sources used:
openSUSE 13.2 (src):    giflib-5.0.5-4.6.1

Comment 10 Swamp Workflow Management 2016-04-20 21:07:57 UTC

openSUSE-SU-2016:1118-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 974847
CVE References: CVE-2016-3977
Sources used:
openSUSE 13.1 (src):    giflib-5.0.5-2.9.1

Comment 11 Swamp Workflow Management 2016-04-25 11:09:16 UTC

SUSE-SU-2016:1139-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 974847
CVE References: CVE-2016-3977
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    giflib-4.1.6-21.1
SUSE Linux Enterprise Server 11-SP4 (src):    giflib-4.1.6-21.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    giflib-4.1.6-21.1

Comment 12 Swamp Workflow Management 2016-04-25 11:09:37 UTC

SUSE-SU-2016:1140-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 974847
CVE References: CVE-2016-3977
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    giflib-5.0.5-12.1
SUSE Linux Enterprise Software Development Kit 12 (src):    giflib-5.0.5-12.1
SUSE Linux Enterprise Server 12-SP1 (src):    giflib-5.0.5-12.1
SUSE Linux Enterprise Server 12 (src):    giflib-5.0.5-12.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    giflib-5.0.5-12.1
SUSE Linux Enterprise Desktop 12 (src):    giflib-5.0.5-12.1

Comment 13 Swamp Workflow Management 2016-05-04 14:11:07 UTC

openSUSE-SU-2016:1219-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 974847
CVE References: CVE-2016-3977
Sources used:
openSUSE Leap 42.1 (src):    giflib-5.0.5-10.1

Comment 14 Marcus Meissner 2016-05-25 06:58:38 UTC

released i think

Comment 15 Swamp Workflow Management 2022-05-06 19:17:37 UTC

SUSE-SU-2022:1565-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1094832,1146299,1184123,974847
CVE References: CVE-2016-3977,CVE-2018-11490,CVE-2019-15133
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    giflib-5.2.1-150000.4.8.1
openSUSE Leap 15.3 (src):    giflib-5.2.1-150000.4.8.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    giflib-5.2.1-150000.4.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    giflib-5.2.1-150000.4.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    giflib-5.2.1-150000.4.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.