Bug 244227
| Summary: | giftext segfaults when processing a particular GIF file | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Aleksander Adamowski <bugs-redhat> | ||||||||||||
| Component: | giflib | Assignee: | ritz <rkhadgar> | ||||||||||||
| Status: | CLOSED DUPLICATE | QA Contact: | |||||||||||||
| Severity: | medium | Docs Contact: | |||||||||||||
| Priority: | low | ||||||||||||||
| Version: | 5.0 | CC: | rkhadgar, toshio | ||||||||||||
| Target Milestone: | --- | ||||||||||||||
| Target Release: | --- | ||||||||||||||
| Hardware: | x86_64 | ||||||||||||||
| OS: | Linux | ||||||||||||||
| Whiteboard: | |||||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||
| Clone Of: | Environment: | ||||||||||||||
| Last Closed: | 2011-03-15 08:42:57 UTC | Type: | --- | ||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||
| Documentation: | --- | CRM: | |||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
| Embargoed: | |||||||||||||||
| Attachments: |
|
||||||||||||||
Created attachment 157017 [details]
Problematic GIF
Created attachment 160406 [details]
Another GIF file that causes segfault
The segmentation fault is still present in giflib-utils-4.1.3-7.1 in Fedora Core 6. I'm raising severity because this bug might be a source of security problems - giftext is used by some SpamAssassin plugins used for combating image spam and if the crash is exploitable, it may be used to gain remote control of the mail scanning server. The problem also occurs on RHEL 5:
$ giftext image001.gif
image001.gif:
Screen Size - Width = 54, Height = 28.
Segmentation fault (core dumped)
Created attachment 252971 [details]
Fixed SRPM for FC6
This SRPM is base on giflib-4.1.3-7.1.src.rpm for Fedora Core 6. The only
difference is the added tiny patch that fixes the segfault.
Please, consider releasing the updated RPMs for RHEL and other FC versions.
Some of your customers may be at a security risk because giftext is used in
some server contexts (e.g. it's used by OCR plugins for SpamAssassin).
CCing jkeating, packager of the previous revision of the RPM. I was never a maintainer of this package. I may have (re)built it once or twice, but that was for release engineering purposes. BTW, there are more security issues that are being fixed now. The project maintainer from SF hasn't been getting any mail from SF and only recently he got to know about all the submitted bugs in recent years. He's currently fixing all the reported bugs, so expect a security update release of giflib in the next couple of days. When that's done, I think update RPMs should be released ASAP (at least for RHEL). Here's an example of another segfault with available fix - this time it's failure to do proper bounds checking: https://sourceforge.net/tracker/index.php?func=detail&aid=1671392&group_id=102202&atid=631304 An announcement from giflib project maintainer - a new version has been released with all the reported segfaults fixed: >Comment By: Toshio Kuratomi (abadger1999) Date: 2007-11-10 17:07 A new release, giflib-4.1.5 has been made with this and other segfaults fixed. Note that the project name has also changed: URLs should be pointed to http://www.sf.net/projects/giflib instead of: http://www.sf.net/projects/libungif Created attachment 254251 [details] Updated spec file Hi Norm, Here's an updated spec file for giflib-4.1.6. I've requested permissions in the pkgdb to work on this package for Fedora. If you'd like some help, you can log into the pkgdb with your Fedora Account System username and password and approve those permissions on this page: https://admin.fedoraproject.org/pkgdb/packages/name/giflib Created attachment 263511 [details]
SRPM with giflib 4.1.6, tested on Fedora Core 7
*** This bug has been marked as a duplicate of bug 249555 *** |
Description of problem: Version-Release number of selected component (if applicable): giflib-utils-4.1.3-6.2.1 How reproducible: 100% Steps to Reproduce: 1. Launch "giftext image001.gif" Actual results: ---- SNIP ---- image001.gif: Screen Size - Width = 54, Height = 28. Segmentation fault (core dumped) ---- SNIP ---- Expected results: No segmentation fault Additional info: Architecture is x86_64. Backtrace (without symbols - there's no debuginfo RPM for giflib): gdb /usr/bin/giftext core.1218 GNU gdb Red Hat Linux (6.3.0.0-1.134.fc5rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu"...(no debugging symbols found) Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `giftext image001.gif'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib64/libgif.so.4...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libgif.so.4 Reading symbols from /usr/lib64/libSM.so.6...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libSM.so.6 Reading symbols from /usr/lib64/libICE.so.6...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libICE.so.6 Reading symbols from /usr/lib64/libX11.so.6...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libX11.so.6 Reading symbols from /lib64/libc.so.6...Reading symbols from /usr/lib/debug/lib64/libc-2.4.so.debug...done. done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /usr/lib64/libXau.so.6...done. Loaded symbols for /usr/lib64/libXau.so.6 Reading symbols from /usr/lib64/libXdmcp.so.6...done. Loaded symbols for /usr/lib64/libXdmcp.so.6 Reading symbols from /lib64/libdl.so.2...Reading symbols from /usr/lib/debug/lib64/libdl-2.4.so.debug...done. done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib64/ld-2.4.so.debug...done. done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 #0 0x0000000000401b9a in ?? () (gdb) bt #0 0x0000000000401b9a in ?? () #1 0x000000356b71c784 in __libc_start_main (main=0x401570, argc=2, ubp_av=0x7fffc7616af8, init=Variable "init" is not available. ) at libc-start.c:231 #2 0x0000000000400f59 in ?? () #3 0x00007fffc7616ae8 in ?? () #4 0x0000000000000000 in ?? ()