1314438 – (CVE-2016-3177) CVE-2016-3177 giflib: Use-after-free in gifcolor utility

Bug 1314438 (CVE-2016-3177) - CVE-2016-3177 giflib: Use-after-free in gifcolor utility

Summary: CVE-2016-3177 giflib: Use-after-free in gifcolor utility

Keywords:
Status:	CLOSED UPSTREAM
Alias:	CVE-2016-3177
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1318264 1318265
Blocks:	1314440
TreeView+	depends on / blocked

Reported:	2016-03-03 15:37 UTC by Adam Mariš
Modified:	2021-02-17 04:14 UTC (History)
CC List:	21 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-08-31 01:26:57 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2016-03-03 15:37:11 UTC

Multiple use-after-free vulnerabilities in gifcolor.c were found in 5.1.2. Two possible consecutive calls to EGifCloseFile with the same first parameter (GifFile) could lead to two calls to free(GifFile) / free(Private->HashTable) / free(Private). In particular, the second call of free(GifFile) appears in egif_lib.c, where there is no check to know if 'ErrorCode!=NULL' for this free. Since Private is freed with the first call to EGifCloseFile, and used during the second call, resulting into use-after-free.

Comment 1 Adam Mariš 2016-03-03 15:37:23 UTC

Acknowledgments:

Name: Josselin Feist

Comment 2 Adam Mariš 2016-03-16 11:44:51 UTC

Upstream bug:

https://sourceforge.net/p/giflib/bugs/83/

Comment 3 Adam Mariš 2016-03-16 11:46:33 UTC

Created giflib tracking bugs for this issue:

Affects: fedora-all [bug 1318264]

Comment 4 Adam Mariš 2016-03-16 11:46:41 UTC

Created mingw-giflib tracking bugs for this issue:

Affects: fedora-all [bug 1318265]

Comment 5 Adam Mariš 2016-03-16 16:01:42 UTC

CVE request:

http://seclists.org/oss-sec/2016/q1/657

Comment 6 Andrej Nemec 2016-03-17 10:12:54 UTC

CVE assignment:

http://seclists.org/oss-sec/2016/q1/663

Comment 7 Stefan Cornelius 2016-04-21 08:44:44 UTC

Patch:
https://sourceforge.net/p/giflib/code/ci/7287722a6278dd0ab483ab50c0ded6d1dd805a0c/

Comment 8 Stefan Cornelius 2016-04-21 08:55:46 UTC

I believe that was introduced via https://sourceforge.net/p/giflib/code/ci/116179a7d4681dda9afcdd43b5fbfb391b44918b/

RHEL code base does not include this patch and should not be vulnerable.

Statement:

This issue did not affect the versions of giflib as shipped with Red Hat Enterprise Linux 5, 6, and 7.

Note You need to log in before you can comment on or make changes to this bug.

abaron
aortega
apevec
ayoung
chrisw
cvsbot-xmlrpc
dallan
gkotton
jschluet
kbasil
lhh
lpeer
markmc
rbryant
sclewis
security-response-team
slawomir
srevivo
tdecacqu
tsuter
vgaikwad