Dear maintainer, I've prepared an NMU for giflib (versioned as 5.1.2-0.4) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. Regards. diff -Nru giflib-5.1.2/debian/changelog giflib-5.1.2/debian/changelog --- giflib-5.1.2/debian/changelog 2016-04-15 19:12:41.000000000 +0200 +++ giflib-5.1.2/debian/changelog 2016-04-15 23:26:43.000000000 +0200 @@ -1,3 +1,14 @@ +giflib (5.1.2-0.4) unstable; urgency=medium + + * Non-maintainer upload. + * debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch: + - fix CVE-2016-3977 (Closes: #820526) + * debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch: + - fix upstream bug #82 (out of bounds read and write issues) + (Closes: #820594) + + -- Gianfranco Costamagna <locutusofb...@debian.org> Fri, 15 Apr 2016 23:23:36 +0200 + giflib (5.1.2-0.3) unstable; urgency=medium
* Non-maintainer upload. diff -Nru giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch --- giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch 1970-01-01 01:00:00.000000000 +0100 +++ giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch 2016-04-15 23:33:54.000000000 +0200 @@ -0,0 +1,14 @@ +--- a/util/gif2rgb.c ++++ b/util/gif2rgb.c +@@ -376,6 +376,11 @@ + PrintGifError(Error); + exit(EXIT_FAILURE); + } ++ } ++ ++ if (GifFile->SHeight == 0) { ++ fprintf(stderr, "Image of height 0\n"); ++ exit(EXIT_FAILURE); + } + + /* diff -Nru giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch --- giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch 1970-01-01 01:00:00.000000000 +0100 +++ giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch 2016-04-15 23:27:09.000000000 +0200 @@ -0,0 +1,13 @@ +--- a/util/gif2rgb.c ++++ b/util/gif2rgb.c +@@ -378,8 +378,8 @@ + } + } + +- if (GifFile->SHeight == 0) { +- fprintf(stderr, "Image of height 0\n"); ++ if (GifFile->SHeight == 0 || GifFile->SWidth == 0) { ++ fprintf(stderr, "Image of width or height 0\n"); + exit(EXIT_FAILURE); + } + diff -Nru giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch --- giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch 1970-01-01 01:00:00.000000000 +0100 +++ giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch 2016-04-15 23:34:14.000000000 +0200 @@ -0,0 +1,69 @@ +Index: giflib-5.1.2/NEWS +=================================================================== +--- giflib-5.1.2.orig/NEWS ++++ giflib-5.1.2/NEWS +@@ -1,5 +1,13 @@ + GIFLIB NEWS + ++Repository head ++=============== ++ ++Code Fixes ++---------- ++ ++* Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb). ++ + Version 5.1.2 + ============= + +Index: giflib-5.1.2/lib/dgif_lib.c +=================================================================== +--- giflib-5.1.2.orig/lib/dgif_lib.c ++++ giflib-5.1.2/lib/dgif_lib.c +@@ -288,6 +288,11 @@ + GifFile->SColorMap = NULL; + } + ++ /* ++ * No check here for whether the background color is in range for the ++ * screen color map. Possibly there should be. ++ */ ++ + return GIF_OK; + } + +Index: giflib-5.1.2/util/gif2rgb.c +=================================================================== +--- giflib-5.1.2.orig/util/gif2rgb.c ++++ giflib-5.1.2/util/gif2rgb.c +@@ -15,7 +15,7 @@ + + I (ESR) took this off the main to-do list in 2012 because I don't think + the GIFLIB project actually needs to be in the converters-and-tools business. +-Plenty of hackers do that; our jub is to supply stable library capability ++Plenty of hackers do that; our job is to supply stable library capability + with our utilities mainly interesting as test tools. + + ***************************************************************************/ +@@ -467,7 +467,7 @@ + break; + } + } while (RecordType != TERMINATE_RECORD_TYPE); +- ++ + /* Lets dump it - set the global variables required and do it: */ + ColorMap = (GifFile->Image.ColorMap + ? GifFile->Image.ColorMap +@@ -477,6 +477,12 @@ + exit(EXIT_FAILURE); + } + ++ /* check that the background color isn't garbage (SF bug #87) */ ++ if (GifFile->SBackGroundColor < 0 || GifFile->SBackGroundColor >= ColorMap->ColorCount) { ++ fprintf(stderr, "Background color out of range for colormap\n"); ++ exit(EXIT_FAILURE); ++ } ++ + DumpScreen2RGB(OutFileName, OneFileFlag, + ColorMap, + ScreenBuffer, diff -Nru giflib-5.1.2/debian/patches/series giflib-5.1.2/debian/patches/series --- giflib-5.1.2/debian/patches/series 2016-04-15 19:09:44.000000000 +0200 +++ giflib-5.1.2/debian/patches/series 2016-04-15 23:33:08.000000000 +0200 @@ -2,3 +2,6 @@ #04-fprintf_format_error.patch issue81.diff ef0cb9b4be572262b49fbc26fb2348683f44a517.patch +ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch +259ba23dfaf5e55db5c64cc07849905757519e36.patch +4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch G.
diff -Nru giflib-5.1.2/debian/changelog giflib-5.1.2/debian/changelog --- giflib-5.1.2/debian/changelog 2016-04-15 19:12:41.000000000 +0200 +++ giflib-5.1.2/debian/changelog 2016-04-15 23:26:43.000000000 +0200 @@ -1,3 +1,14 @@ +giflib (5.1.2-0.4) unstable; urgency=medium + + * Non-maintainer upload. + * debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch: + - fix CVE-2016-3977 (Closes: #820526) + * debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch: + - fix upstream bug #82 (out of bounds read and write issues) + (Closes: #820594) + + -- Gianfranco Costamagna <locutusofb...@debian.org> Fri, 15 Apr 2016 23:23:36 +0200 + giflib (5.1.2-0.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch --- giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch 1970-01-01 01:00:00.000000000 +0100 +++ giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch 2016-04-15 23:33:54.000000000 +0200 @@ -0,0 +1,14 @@ +--- a/util/gif2rgb.c ++++ b/util/gif2rgb.c +@@ -376,6 +376,11 @@ + PrintGifError(Error); + exit(EXIT_FAILURE); + } ++ } ++ ++ if (GifFile->SHeight == 0) { ++ fprintf(stderr, "Image of height 0\n"); ++ exit(EXIT_FAILURE); + } + + /* diff -Nru giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch --- giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch 1970-01-01 01:00:00.000000000 +0100 +++ giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch 2016-04-15 23:27:09.000000000 +0200 @@ -0,0 +1,13 @@ +--- a/util/gif2rgb.c ++++ b/util/gif2rgb.c +@@ -378,8 +378,8 @@ + } + } + +- if (GifFile->SHeight == 0) { +- fprintf(stderr, "Image of height 0\n"); ++ if (GifFile->SHeight == 0 || GifFile->SWidth == 0) { ++ fprintf(stderr, "Image of width or height 0\n"); + exit(EXIT_FAILURE); + } + diff -Nru giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch --- giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch 1970-01-01 01:00:00.000000000 +0100 +++ giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch 2016-04-15 23:34:14.000000000 +0200 @@ -0,0 +1,69 @@ +Index: giflib-5.1.2/NEWS +=================================================================== +--- giflib-5.1.2.orig/NEWS ++++ giflib-5.1.2/NEWS +@@ -1,5 +1,13 @@ + GIFLIB NEWS + ++Repository head ++=============== ++ ++Code Fixes ++---------- ++ ++* Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb). ++ + Version 5.1.2 + ============= + +Index: giflib-5.1.2/lib/dgif_lib.c +=================================================================== +--- giflib-5.1.2.orig/lib/dgif_lib.c ++++ giflib-5.1.2/lib/dgif_lib.c +@@ -288,6 +288,11 @@ + GifFile->SColorMap = NULL; + } + ++ /* ++ * No check here for whether the background color is in range for the ++ * screen color map. Possibly there should be. ++ */ ++ + return GIF_OK; + } + +Index: giflib-5.1.2/util/gif2rgb.c +=================================================================== +--- giflib-5.1.2.orig/util/gif2rgb.c ++++ giflib-5.1.2/util/gif2rgb.c +@@ -15,7 +15,7 @@ + + I (ESR) took this off the main to-do list in 2012 because I don't think + the GIFLIB project actually needs to be in the converters-and-tools business. +-Plenty of hackers do that; our jub is to supply stable library capability ++Plenty of hackers do that; our job is to supply stable library capability + with our utilities mainly interesting as test tools. + + ***************************************************************************/ +@@ -467,7 +467,7 @@ + break; + } + } while (RecordType != TERMINATE_RECORD_TYPE); +- ++ + /* Lets dump it - set the global variables required and do it: */ + ColorMap = (GifFile->Image.ColorMap + ? GifFile->Image.ColorMap +@@ -477,6 +477,12 @@ + exit(EXIT_FAILURE); + } + ++ /* check that the background color isn't garbage (SF bug #87) */ ++ if (GifFile->SBackGroundColor < 0 || GifFile->SBackGroundColor >= ColorMap->ColorCount) { ++ fprintf(stderr, "Background color out of range for colormap\n"); ++ exit(EXIT_FAILURE); ++ } ++ + DumpScreen2RGB(OutFileName, OneFileFlag, + ColorMap, + ScreenBuffer, diff -Nru giflib-5.1.2/debian/patches/series giflib-5.1.2/debian/patches/series --- giflib-5.1.2/debian/patches/series 2016-04-15 19:09:44.000000000 +0200 +++ giflib-5.1.2/debian/patches/series 2016-04-15 23:33:08.000000000 +0200 @@ -2,3 +2,6 @@ #04-fprintf_format_error.patch issue81.diff ef0cb9b4be572262b49fbc26fb2348683f44a517.patch +ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch +259ba23dfaf5e55db5c64cc07849905757519e36.patch +4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch