Input validation flaw was discovered in the SDL_image image handling library. Value read from the Gif file is not properly validated against the buffer size and can cause a buffer overflow. More details about this issue can be found here: http://marc.info/?l=bugtraq&m=120110205511630&w=4 Advisory states new upstream version 1.2.7 should be released soon addressing this flaw. Relevant upstream SVN commit seems to be: http://www.libsdl.org/cgi/viewvc.cgi/trunk/SDL_image/IMG_gif.c?r1=3462&r2=3461&pathrev=3462
Created attachment 292800 [details] Reproducer from the advisory
This seems to be the same issue as CVE-2006-4484 (reported for gd embedded in php sources back in 2006): Buffer overflow in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array. GD/PHP CVS commit: http://cvs.php.net/viewcvs.cgi/gd/libgd/src/gd_gif_in.c?r1=1.3&r2=1.4 Seems to be included in upstream gd as of version 2.0.34.
Hey Tomas, should this bug still be filed against SDL_image, or should I open a new bug against it?
Brian, our process is to file security bugs against 'Security Response' product and make "tracking bugs" for affected product versions (current versions of Fedora, Red Hat Enterprise Linux, Red Hat layered products). Technically, you do not need Fedora bugs against SDL_image component in any specific Fedora version, but we usually create them to make tracking of the issue easier.
SDL_image-1.2.5-7.fc7 has been submitted as an update for Fedora 7
There are other apps / projects affected by this problem too, as this GIF handling code that seem to have been originally written by David Koblas is used in more or less modified form in many projects: Already listed above: SDL_image - to be fixed in 1.2.7 gd - fixed in 2.0.34 Other identified affected projects: netpbm (giftopnm converter) - fixed in 10.27 tk - to be fixed in upcoming 8.5.1 Other affected projects identified by Raphaël Marichez of Gentoo: sourcenav (http://sourcenav.sourceforge.net) (verified in v 5.1.4) insight (http://sourceware.org/insight/) (verified in v 6.5) TK Perl Module (http://search.cpan.org/~ni-s/) (verified in v 804.027) perl-Tk is also shipped in Fedora.
SDL_image-1.2.5-7.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Mitre has assigned CVE id CVE-2007-6697 to this issue as affecting SDL_image.
Public now for other affected projects. Opening comment #9. http://tktoolkit.cvs.sourceforge.net/tktoolkit/tk/generic/tkImgGIF.c?r1=1.40&r2=1.41 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464056
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1231 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-1208