Reinhard Max discovered a buffer overflow flaw in the way Tk's GIF processor
handles an interlaced GIF with two frames. It is possible to overflow a buffer
if the second frame is smaller than the first.
The fix can be found here:
I've searched the RHEL codebase for the tk code that uses the -index option with
GIF images. I couldn't find any. Thomas Biege from Suse says this is an
undocumented feature of Tk. We are assigning this flaw with low severity.
Fixed in devel.
If fix is needed for other version, please open the bug.
Original CVE id CVE-2007-4851 was rejected as duplicate of CVE-2007-5137:
Buffer overflow in the ReadImage function in generic/tkImgGIF.c in Tcl (Tcl/Tk)
before 8.4.16 allows remote attackers to execute arbitrary code via multi-frame
interlaced GIF files in which later frames are smaller than the first.
Marcela, please update RPM changelog when doing next update of tk in Fedora, as
original CVE id was used there. Thanks!
Further analysis by Jamie Strandboge yielded following results:
This issue was introduced by fix for SF.net bug report:
Issue only affects tk 8.4.13 - 8.4.15.
Affected versions are shipped in Red Hat Enterprise Linux 5, Fedora Core 6 and
This issue was addressed in:
Red Hat Enterprise Linux: