Your message dated Fri, 2 Dec 2022 12:39:01 +0100
with message-id <y4nj1w+1udrm1...@alf.mars>
and subject line Re: Bug#904113: CVE-2018-11489
has caused the Debian Bug report #904113,
regarding CVE-2018-11489
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
904113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904113
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: giflib
Severity: important
Tags: security
https://sourceforge.net/p/giflib/bugs/112/
--- End Message ---
--- Begin Message ---
Version: 4.1.6-11
Hi Salvatore,
On Sat, Jan 02, 2021 at 01:35:09PM +0100, Salvatore Bonaccorso wrote:
> Looks the wrong bug was closed here? CVE-2018-11490 was sf#113, while
> this one is CVE-2018-11489, sf#112, which does not seem to be adressed
> yet (altough the upstream report disapeared).
I looked into this and think this is fixed.
Since the issue disappeared, all we have is the vulnerability
description:
| The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly
| version 3.0.x), as later shipped in cgif.c in sam2p 0.49.4, has a
| heap-based buffer overflow because a certain CrntCode array index
| is not checked. This will lead to a denial of service or possibly
| unspecified other impact.
Looking into DGifDecompressLine, the offending CrntCode is obtained
using DGifDecompressInput. If you look how that value is assigned, one
of the CodeMasks is always used to assign it. The maximum mask is 0xfff
or 4095. So we're using this number to index into the Prefix array,
which is statically sized LZ_MAX_CODE + 1 == 4096. This all seems fine
to me.
Looking into sam2p, we can see stefan-cornelius proposed a patch:
https://github.com/pts/sam2p/files/2252965/sam2p_CVEs.patch.txt
This patch adds the code that ensures that DGifDecompressInput never
yields a value exceeding the maximum mask and I see how it addresses the
vulnerability quoted earlier. It has been applied even to jessie and is
present since the git history of giflib.
As such, I conclude that sam2p was shipping a very old fork of giflib
and giflib has fixed this way longer ago.
I'm also going to update the security tracker.
Helmut
--- End Message ---
