Bug 244227 - giftext segfaults when processing a particular GIF file
giftext segfaults when processing a particular GIF file
Status: CLOSED DUPLICATE of bug 249555
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: giflib (Show other bugs)
5.0
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: ritz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-14 12:13 EDT by Aleksander Adamowski
Modified: 2011-03-15 04:42 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-03-15 04:42:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Problematic GIF (1.33 KB, image/gif)
2007-06-14 12:13 EDT, Aleksander Adamowski
no flags Details
Another GIF file that causes segfault (642 bytes, image/gif)
2007-08-01 07:46 EDT, Aleksander Adamowski
no flags Details
Fixed SRPM for FC6 (437.84 KB, application/octet-stream)
2007-11-09 11:08 EST, Aleksander Adamowski
no flags Details
Updated spec file (4.37 KB, text/x-rpm-spec)
2007-11-11 00:59 EST, Toshio Ernie Kuratomi
no flags Details
SRPM with giflib 4.1.6, tested on Fedora Core 7 (499.82 KB, application/octet-stream)
2007-11-19 09:51 EST, Aleksander Adamowski
no flags Details

  None (edit)
Description Aleksander Adamowski 2007-06-14 12:13:41 EDT
Description of problem:


Version-Release number of selected component (if applicable):
giflib-utils-4.1.3-6.2.1

How reproducible:

100%


Steps to Reproduce:
1. Launch "giftext image001.gif"

Actual results:


---- SNIP ----
image001.gif:

        Screen Size - Width = 54, Height = 28.
Segmentation fault (core dumped)
---- SNIP ----

Expected results:

No segmentation fault

Additional info:

Architecture is x86_64.

Backtrace (without symbols - there's no debuginfo RPM for giflib):

 gdb /usr/bin/giftext core.1218 
GNU gdb Red Hat Linux (6.3.0.0-1.134.fc5rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...(no debugging symbols found)
Using host libthread_db library "/lib64/libthread_db.so.1".

Core was generated by `giftext image001.gif'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib64/libgif.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libgif.so.4
Reading symbols from /usr/lib64/libSM.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libSM.so.6
Reading symbols from /usr/lib64/libICE.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libICE.so.6
Reading symbols from /usr/lib64/libX11.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libX11.so.6
Reading symbols from /lib64/libc.so.6...Reading symbols from
/usr/lib/debug/lib64/libc-2.4.so.debug...done.
done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /usr/lib64/libXau.so.6...done.
Loaded symbols for /usr/lib64/libXau.so.6
Reading symbols from /usr/lib64/libXdmcp.so.6...done.
Loaded symbols for /usr/lib64/libXdmcp.so.6
Reading symbols from /lib64/libdl.so.2...Reading symbols from
/usr/lib/debug/lib64/libdl-2.4.so.debug...done.
done.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from
/usr/lib/debug/lib64/ld-2.4.so.debug...done.
done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
#0  0x0000000000401b9a in ?? ()
(gdb) bt
#0  0x0000000000401b9a in ?? ()
#1  0x000000356b71c784 in __libc_start_main (main=0x401570, argc=2,
ubp_av=0x7fffc7616af8, init=Variable "init" is not available.
) at libc-start.c:231
#2  0x0000000000400f59 in ?? ()
#3  0x00007fffc7616ae8 in ?? ()
#4  0x0000000000000000 in ?? ()
Comment 1 Aleksander Adamowski 2007-06-14 12:13:41 EDT
Created attachment 157017 [details]
Problematic GIF
Comment 2 Aleksander Adamowski 2007-08-01 07:46:54 EDT
Created attachment 160406 [details]
Another GIF file that causes segfault
Comment 3 Aleksander Adamowski 2007-08-01 07:50:04 EDT
The segmentation fault is still present in giflib-utils-4.1.3-7.1 in Fedora Core 6.

I'm raising severity because this bug might be a source of security problems -
giftext is used by some SpamAssassin plugins used for combating image spam and
if the crash is exploitable, it may be used to gain remote control of the mail
scanning server.

Comment 4 Aleksander Adamowski 2007-11-08 06:36:01 EST
The problem also occurs on RHEL 5:

$ giftext image001.gif 

image001.gif:

        Screen Size - Width = 54, Height = 28.
Segmentation fault (core dumped)
Comment 5 Aleksander Adamowski 2007-11-09 11:08:37 EST
Created attachment 252971 [details]
Fixed SRPM for FC6

This SRPM is base on giflib-4.1.3-7.1.src.rpm for Fedora Core 6. The only
difference is the added tiny patch that fixes the segfault.

Please, consider releasing the updated RPMs for RHEL and other FC versions.

Some of your customers may be at a security risk because giftext is used in
some server contexts (e.g. it's used by OCR plugins for SpamAssassin).
Comment 6 Aleksander Adamowski 2007-11-09 11:09:36 EST
CCing jkeating@redhat.com, packager of the previous revision of the RPM.
Comment 7 Jesse Keating 2007-11-09 11:26:02 EST
I was never a maintainer of this package.  I may have (re)built it once or
twice, but that was for release engineering purposes.
Comment 8 Aleksander Adamowski 2007-11-10 12:51:00 EST
BTW, there are more security issues that are being fixed now.

The project maintainer from SF hasn't been getting any mail from SF and only
recently he got to know about all the submitted bugs in recent years.
He's currently fixing all the reported bugs, so expect a security update release
of giflib in the next couple of days. When that's done, I think update RPMs
should be released ASAP (at least for RHEL).

Here's an example of another segfault with available fix - this time it's
failure to do proper bounds checking:
https://sourceforge.net/tracker/index.php?func=detail&aid=1671392&group_id=102202&atid=631304
Comment 9 Aleksander Adamowski 2007-11-10 17:20:49 EST
An announcement from giflib project maintainer - a new version has been released
with all the reported segfaults fixed:

>Comment By: Toshio Kuratomi (abadger1999)
Date: 2007-11-10 17:07

A new release, giflib-4.1.5 has been made with this and other segfaults
fixed.

Note that the project name has also changed: URLs should be pointed to
 http://www.sf.net/projects/giflib

instead of:
 http://www.sf.net/projects/libungif
Comment 10 Toshio Ernie Kuratomi 2007-11-11 00:59:24 EST
Created attachment 254251 [details]
Updated spec file

Hi Norm,

Here's an updated spec file for giflib-4.1.6.

I've requested permissions in the pkgdb to work on this package for Fedora.  If
you'd like some help, you can log into the pkgdb with your Fedora Account
System username and password and approve those permissions on this page:

  https://admin.fedoraproject.org/pkgdb/packages/name/giflib
Comment 11 Aleksander Adamowski 2007-11-19 09:51:01 EST
Created attachment 263511 [details]
SRPM with giflib 4.1.6, tested on Fedora Core 7
Comment 12 ritz 2011-03-15 04:42:57 EDT

*** This bug has been marked as a duplicate of bug 249555 ***

Note You need to log in before you can comment on or make changes to this bug.