Dear maintainer,
I've prepared an NMU for giflib (versioned as 5.1.2-0.4) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.
Regards.
diff -Nru giflib-5.1.2/debian/changelog giflib-5.1.2/debian/changelog
--- giflib-5.1.2/debian/changelog 2016-04-15 19:12:41.000000000 +0200
+++ giflib-5.1.2/debian/changelog 2016-04-15 23:26:43.000000000 +0200
@@ -1,3 +1,14 @@
+giflib (5.1.2-0.4) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch:
+ - fix CVE-2016-3977 (Closes: #820526)
+ * debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch:
+ - fix upstream bug #82 (out of bounds read and write issues)
+ (Closes: #820594)
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org> Fri, 15 Apr 2016
23:23:36 +0200
+
giflib (5.1.2-0.3) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru
giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch
giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch
--- giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch
1970-01-01 01:00:00.000000000 +0100
+++ giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch
2016-04-15 23:33:54.000000000 +0200
@@ -0,0 +1,14 @@
+--- a/util/gif2rgb.c
++++ b/util/gif2rgb.c
+@@ -376,6 +376,11 @@
+ PrintGifError(Error);
+ exit(EXIT_FAILURE);
+ }
++ }
++
++ if (GifFile->SHeight == 0) {
++ fprintf(stderr, "Image of height 0\n");
++ exit(EXIT_FAILURE);
+ }
+
+ /*
diff -Nru
giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch
giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch
--- giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch
1970-01-01 01:00:00.000000000 +0100
+++ giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch
2016-04-15 23:27:09.000000000 +0200
@@ -0,0 +1,13 @@
+--- a/util/gif2rgb.c
++++ b/util/gif2rgb.c
+@@ -378,8 +378,8 @@
+ }
+ }
+
+- if (GifFile->SHeight == 0) {
+- fprintf(stderr, "Image of height 0\n");
++ if (GifFile->SHeight == 0 || GifFile->SWidth == 0) {
++ fprintf(stderr, "Image of width or height 0\n");
+ exit(EXIT_FAILURE);
+ }
+
diff -Nru
giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch
giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch
--- giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch
1970-01-01 01:00:00.000000000 +0100
+++ giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch
2016-04-15 23:34:14.000000000 +0200
@@ -0,0 +1,69 @@
+Index: giflib-5.1.2/NEWS
+===================================================================
+--- giflib-5.1.2.orig/NEWS
++++ giflib-5.1.2/NEWS
+@@ -1,5 +1,13 @@
+ GIFLIB NEWS
+
++Repository head
++===============
++
++Code Fixes
++----------
++
++* Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb).
++
+ Version 5.1.2
+ =============
+
+Index: giflib-5.1.2/lib/dgif_lib.c
+===================================================================
+--- giflib-5.1.2.orig/lib/dgif_lib.c
++++ giflib-5.1.2/lib/dgif_lib.c
+@@ -288,6 +288,11 @@
+ GifFile->SColorMap = NULL;
+ }
+
++ /*
++ * No check here for whether the background color is in range for the
++ * screen color map. Possibly there should be.
++ */
++
+ return GIF_OK;
+ }
+
+Index: giflib-5.1.2/util/gif2rgb.c
+===================================================================
+--- giflib-5.1.2.orig/util/gif2rgb.c
++++ giflib-5.1.2/util/gif2rgb.c
+@@ -15,7 +15,7 @@
+
+ I (ESR) took this off the main to-do list in 2012 because I don't think
+ the GIFLIB project actually needs to be in the converters-and-tools business.
+-Plenty of hackers do that; our jub is to supply stable library capability
++Plenty of hackers do that; our job is to supply stable library capability
+ with our utilities mainly interesting as test tools.
+
+ ***************************************************************************/
+@@ -467,7 +467,7 @@
+ break;
+ }
+ } while (RecordType != TERMINATE_RECORD_TYPE);
+-
++
+ /* Lets dump it - set the global variables required and do it: */
+ ColorMap = (GifFile->Image.ColorMap
+ ? GifFile->Image.ColorMap
+@@ -477,6 +477,12 @@
+ exit(EXIT_FAILURE);
+ }
+
++ /* check that the background color isn't garbage (SF bug #87) */
++ if (GifFile->SBackGroundColor < 0 || GifFile->SBackGroundColor >=
ColorMap->ColorCount) {
++ fprintf(stderr, "Background color out of range for colormap\n");
++ exit(EXIT_FAILURE);
++ }
++
+ DumpScreen2RGB(OutFileName, OneFileFlag,
+ ColorMap,
+ ScreenBuffer,
diff -Nru giflib-5.1.2/debian/patches/series giflib-5.1.2/debian/patches/series
--- giflib-5.1.2/debian/patches/series 2016-04-15 19:09:44.000000000 +0200
+++ giflib-5.1.2/debian/patches/series 2016-04-15 23:33:08.000000000 +0200
@@ -2,3 +2,6 @@
#04-fprintf_format_error.patch
issue81.diff
ef0cb9b4be572262b49fbc26fb2348683f44a517.patch
+ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch
+259ba23dfaf5e55db5c64cc07849905757519e36.patch
+4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch
G.
diff -Nru giflib-5.1.2/debian/changelog giflib-5.1.2/debian/changelog
--- giflib-5.1.2/debian/changelog 2016-04-15 19:12:41.000000000 +0200
+++ giflib-5.1.2/debian/changelog 2016-04-15 23:26:43.000000000 +0200
@@ -1,3 +1,14 @@
+giflib (5.1.2-0.4) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch:
+ - fix CVE-2016-3977 (Closes: #820526)
+ * debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch:
+ - fix upstream bug #82 (out of bounds read and write issues)
+ (Closes: #820594)
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org> Fri, 15 Apr 2016 23:23:36 +0200
+
giflib (5.1.2-0.3) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch
--- giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch 1970-01-01 01:00:00.000000000 +0100
+++ giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch 2016-04-15 23:33:54.000000000 +0200
@@ -0,0 +1,14 @@
+--- a/util/gif2rgb.c
++++ b/util/gif2rgb.c
+@@ -376,6 +376,11 @@
+ PrintGifError(Error);
+ exit(EXIT_FAILURE);
+ }
++ }
++
++ if (GifFile->SHeight == 0) {
++ fprintf(stderr, "Image of height 0\n");
++ exit(EXIT_FAILURE);
+ }
+
+ /*
diff -Nru giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch
--- giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch 1970-01-01 01:00:00.000000000 +0100
+++ giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch 2016-04-15 23:27:09.000000000 +0200
@@ -0,0 +1,13 @@
+--- a/util/gif2rgb.c
++++ b/util/gif2rgb.c
+@@ -378,8 +378,8 @@
+ }
+ }
+
+- if (GifFile->SHeight == 0) {
+- fprintf(stderr, "Image of height 0\n");
++ if (GifFile->SHeight == 0 || GifFile->SWidth == 0) {
++ fprintf(stderr, "Image of width or height 0\n");
+ exit(EXIT_FAILURE);
+ }
+
diff -Nru giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch
--- giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch 1970-01-01 01:00:00.000000000 +0100
+++ giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch 2016-04-15 23:34:14.000000000 +0200
@@ -0,0 +1,69 @@
+Index: giflib-5.1.2/NEWS
+===================================================================
+--- giflib-5.1.2.orig/NEWS
++++ giflib-5.1.2/NEWS
+@@ -1,5 +1,13 @@
+ GIFLIB NEWS
+
++Repository head
++===============
++
++Code Fixes
++----------
++
++* Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb).
++
+ Version 5.1.2
+ =============
+
+Index: giflib-5.1.2/lib/dgif_lib.c
+===================================================================
+--- giflib-5.1.2.orig/lib/dgif_lib.c
++++ giflib-5.1.2/lib/dgif_lib.c
+@@ -288,6 +288,11 @@
+ GifFile->SColorMap = NULL;
+ }
+
++ /*
++ * No check here for whether the background color is in range for the
++ * screen color map. Possibly there should be.
++ */
++
+ return GIF_OK;
+ }
+
+Index: giflib-5.1.2/util/gif2rgb.c
+===================================================================
+--- giflib-5.1.2.orig/util/gif2rgb.c
++++ giflib-5.1.2/util/gif2rgb.c
+@@ -15,7 +15,7 @@
+
+ I (ESR) took this off the main to-do list in 2012 because I don't think
+ the GIFLIB project actually needs to be in the converters-and-tools business.
+-Plenty of hackers do that; our jub is to supply stable library capability
++Plenty of hackers do that; our job is to supply stable library capability
+ with our utilities mainly interesting as test tools.
+
+ ***************************************************************************/
+@@ -467,7 +467,7 @@
+ break;
+ }
+ } while (RecordType != TERMINATE_RECORD_TYPE);
+-
++
+ /* Lets dump it - set the global variables required and do it: */
+ ColorMap = (GifFile->Image.ColorMap
+ ? GifFile->Image.ColorMap
+@@ -477,6 +477,12 @@
+ exit(EXIT_FAILURE);
+ }
+
++ /* check that the background color isn't garbage (SF bug #87) */
++ if (GifFile->SBackGroundColor < 0 || GifFile->SBackGroundColor >= ColorMap->ColorCount) {
++ fprintf(stderr, "Background color out of range for colormap\n");
++ exit(EXIT_FAILURE);
++ }
++
+ DumpScreen2RGB(OutFileName, OneFileFlag,
+ ColorMap,
+ ScreenBuffer,
diff -Nru giflib-5.1.2/debian/patches/series giflib-5.1.2/debian/patches/series
--- giflib-5.1.2/debian/patches/series 2016-04-15 19:09:44.000000000 +0200
+++ giflib-5.1.2/debian/patches/series 2016-04-15 23:33:08.000000000 +0200
@@ -2,3 +2,6 @@
#04-fprintf_format_error.patch
issue81.diff
ef0cb9b4be572262b49fbc26fb2348683f44a517.patch
+ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch
+259ba23dfaf5e55db5c64cc07849905757519e36.patch
+4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch
