Bug 430100 (CVE-2007-6697)
| Summary: | CVE-2007-6697 SDL_image: GIF handling buffer overflow | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | bdpepple, dev, jmoskovc, mmaslano, twoerner | ||||
| Target Milestone: | --- | Keywords: | Reopened, Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 1.2.5-7.fc7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-04-24 11:15:16 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 430238, 430239, 430241 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Tomas Hoger
2008-01-24 15:14:11 UTC
Created attachment 292800 [details]
Reproducer from the advisory
This seems to be the same issue as CVE-2006-4484 (reported for gd embedded in php sources back in 2006): Buffer overflow in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array. GD/PHP CVS commit: http://cvs.php.net/viewcvs.cgi/gd/libgd/src/gd_gif_in.c?r1=1.3&r2=1.4 Seems to be included in upstream gd as of version 2.0.34. Hey Tomas, should this bug still be filed against SDL_image, or should I open a new bug against it? Brian, our process is to file security bugs against 'Security Response' product and make "tracking bugs" for affected product versions (current versions of Fedora, Red Hat Enterprise Linux, Red Hat layered products). Technically, you do not need Fedora bugs against SDL_image component in any specific Fedora version, but we usually create them to make tracking of the issue easier. SDL_image-1.2.5-7.fc7 has been submitted as an update for Fedora 7 There are other apps / projects affected by this problem too, as this GIF handling code that seem to have been originally written by David Koblas is used in more or less modified form in many projects: Already listed above: SDL_image - to be fixed in 1.2.7 gd - fixed in 2.0.34 Other identified affected projects: netpbm (giftopnm converter) - fixed in 10.27 tk - to be fixed in upcoming 8.5.1 Other affected projects identified by Raphaƫl Marichez of Gentoo: sourcenav (http://sourcenav.sourceforge.net) (verified in v 5.1.4) insight (http://sourceware.org/insight/) (verified in v 6.5) TK Perl Module (http://search.cpan.org/~ni-s/) (verified in v 804.027) perl-Tk is also shipped in Fedora. SDL_image-1.2.5-7.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. SDL_image-1.2.5-7.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. Mitre has assigned CVE id CVE-2007-6697 to this issue as affecting SDL_image. Public now for other affected projects. Opening comment #9. http://tktoolkit.cvs.sourceforge.net/tktoolkit/tk/generic/tkImgGIF.c?r1=1.40&r2=1.41 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464056 This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1231 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-1208 |