Bug 1305505 (CVE-2015-8808)

Summary: CVE-2015-8808 GraphicsMagick: out-of-bound read in the parsing of GIF files
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andreas, rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:48:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1305506, 1305507    
Bug Blocks:    

Description Martin Prpič 2016-02-08 12:53:23 UTC 
An out-of-bounds read flaw was found in the parsing of GIF files using GraphicsMagick.

$ ./gm identify overflow.gif

AddressSanitizer: heap-buffer-overflow
READ of size 1

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/gif.c:276 DecodeImage

This issue is caused by the use of unintialized memory in DecodeImage and fortunately it was fixed here:

http://marc.info/?l=graphicsmagick-commit&m=142283721604323&w=2

Reported at:

http://seclists.org/oss-sec/2016/q1/288
Comment 1 Martin Prpič 2016-02-08 12:53:50 UTC 
Created GraphicsMagick tracking bugs for this issue:

Affects: fedora-all [bug 1305506]
Affects: epel-all [bug 1305507]
Comment 2 Fedora Update System 2016-02-23 19:48:24 UTC 
GraphicsMagick-1.3.23-1.fc22, gdl-0.9.5-10.fc22, octave-3.8.2-19.fc22, vdr-skinenigmang-0.1.2-27.fc22, vdr-skinnopacity-1.1.3-9.fc22, vdr-tvguide-1.2.2-9.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2016-02-25 04:50:53 UTC 
GraphicsMagick-1.3.23-4.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2016-02-29 20:56:08 UTC 
GraphicsMagick-1.3.23-4.el7, gdl-0.9.5-3.el7, octave-3.8.2-19.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2016-02-29 21:25:38 UTC 
GraphicsMagick-1.3.23-4.el6, gdl-0.9.5-4.el6, octave-3.4.3-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Product Security DevOps Team 2019-06-08 02:48:13 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.