2373147 – (CVE-2025-6199) CVE-2025-6199 gdk-pixbuf: Uninitialized Memory Disclosure in GdkPixbuf GIF LZW Decoder

Bug 2373147 (CVE-2025-6199) - CVE-2025-6199 gdk-pixbuf: Uninitialized Memory Disclosure in GdkPixbuf GIF LZW Decoder

Summary: CVE-2025-6199 gdk-pixbuf: Uninitialized Memory Disclosure in GdkPixbuf GIF LZ...

Keywords:
Status:	NEW
Alias:	CVE-2025-6199
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2373154 2373156 2373161 2373166 2373152 2373153 2373155 2373157 2373158 2373159 2373160 2373162 2373163 2373164 2373165 2373167 2373168 2373169 2373170
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-17 12:03 UTC by OSIDB Bzimport
Modified:	2025-06-17 14:24 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-06-17 12:03:55 UTC

Information Disclosure via uninitialized heap memory exposure in GdkPixbuf’s GIF LZW decoder. Upon encountering an invalid LZW symbol, the decoder incorrectly returns the full buffer length instead of the number of decoded bytes written. This oversight leads to uninitialized memory regions in the output image. A crafted GIF can be used to leak memory contents by processing and then reading back the resulting pixbuf.

Note You need to log in before you can comment on or make changes to this bug.