+++ This bug was initially created as a clone of Bug #171413 +++ Chris Evans reported several issues with libungif to vendor-sec. They have been fixed in libungif-4.1.4, but not noted as security issues. "I believe that the recently released libungif-4.1.4 fixes these crashes. Credit here must go to Daniel Eisenbud who independently noticed libungif crashes _and_ patched it to fix it."
This issue should also affect FC3
bad1.gif triggers a NULL dereference crash CVE-2005-2974 libungif NULL pointer deref bad2 and bad3 trigger out of bounds memory access crashes. bad2 may possibly allow for arbitrary code execution as it's an OOB write. CVE-2005-3350 libungif OOB access
Lifting embargo
From User-Agent: XML-RPC libungif-4.1.3-1.fc3.2 has been pushed for FC3, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.
From User-Agent: XML-RPC libungif-4.1.3-3.fc4.2 has been pushed for FC4, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.