Bug 290991 - (CVE-2007-5137) CVE-2007-5137 Tk GIF processing buffer overflow
CVE-2007-5137 Tk GIF processing buffer overflow
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 332061 332071 432514 432515 833985
  Show dependency treegraph
Reported: 2007-09-14 11:16 EDT by Josh Bressers
Modified: 2012-06-20 10:39 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-22 03:52:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2007-09-14 11:16:04 EDT
Reinhard Max discovered a buffer overflow flaw in the way Tk's GIF processor
handles an interlaced GIF with two frames.  It is possible to overflow a buffer
if the second frame is smaller than the first.

The fix can be found here:
Comment 1 Josh Bressers 2007-09-14 11:23:00 EDT
I've searched the RHEL codebase for the tk code that uses the -index option with
GIF images.  I couldn't find any.  Thomas Biege from Suse says this is an
undocumented feature of Tk.  We are assigning this flaw with low severity.
Comment 2 Marcela Mašláňová 2007-09-17 03:46:39 EDT
Fixed in devel.

If fix is needed for other version, please open the bug.
Comment 3 Tomas Hoger 2007-10-09 02:40:27 EDT
Original CVE id CVE-2007-4851 was rejected as duplicate of CVE-2007-5137:

Buffer overflow in the ReadImage function in generic/tkImgGIF.c in Tcl (Tcl/Tk)
before 8.4.16 allows remote attackers to execute arbitrary code via multi-frame
interlaced GIF files in which later frames are smaller than the first.


Marcela, please update RPM changelog when doing next update of tk in Fedora, as
original CVE id was used there.  Thanks!
Comment 4 Tomas Hoger 2007-10-15 07:57:04 EDT
Further analysis by Jamie Strandboge yielded following results:

This issue was introduced by fix for SF.net bug report:


Issue only affects tk 8.4.13 - 8.4.15.

Affected versions are shipped in Red Hat Enterprise Linux 5, Fedora Core 6 and
Fedora 7.
Comment 9 Red Hat Product Security 2008-02-22 03:52:59 EST
This issue was addressed in:

Red Hat Enterprise Linux:


Note You need to log in before you can comment on or make changes to this bug.