Bug 430100 (CVE-2007-6697) - CVE-2007-6697 SDL_image: GIF handling buffer overflow
Summary: CVE-2007-6697 SDL_image: GIF handling buffer overflow
Alias: CVE-2007-6697
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 430238 430239 430241
TreeView+ depends on / blocked
Reported: 2008-01-24 15:14 UTC by Tomas Hoger
Modified: 2019-09-29 12:22 UTC (History)
5 users (show)

Fixed In Version: 1.2.5-7.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-04-24 11:15:16 UTC

Attachments (Terms of Use)
Reproducer from the advisory (821 bytes, image/gif)
2008-01-24 15:23 UTC, Tomas Hoger
no flags Details

Description Tomas Hoger 2008-01-24 15:14:11 UTC
Input validation flaw was discovered in the SDL_image image handling library. 
Value read from the Gif file is not properly validated against the buffer size
and can cause a buffer overflow.

More details about this issue can be found here:


Advisory states new upstream version 1.2.7 should be released soon addressing
this flaw.

Relevant upstream SVN commit seems to be:

Comment 1 Tomas Hoger 2008-01-24 15:23:56 UTC
Created attachment 292800 [details]
Reproducer from the advisory

Comment 3 Tomas Hoger 2008-01-24 17:40:07 UTC
This seems to be the same issue as CVE-2006-4484 (reported for gd embedded in
php sources back in 2006):

Buffer overflow in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the
GD extension in PHP before 5.1.5 allows remote attackers to have an unknown
impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which
triggers an overflow when initializing the table array.

GD/PHP CVS commit:

Seems to be included in upstream gd as of version 2.0.34.

Comment 4 Brian Pepple 2008-01-24 23:20:55 UTC
Hey Tomas, should this bug still be filed against SDL_image, or should I open a
new bug against it?

Comment 5 Tomas Hoger 2008-01-25 13:23:46 UTC
Brian, our process is to file security bugs against 'Security Response' product
and make "tracking bugs" for affected product versions (current versions of
Fedora, Red Hat Enterprise Linux, Red Hat layered products).  Technically, you
do not need Fedora bugs against SDL_image component in any specific Fedora
version, but we usually create them to make tracking of the issue easier.

Comment 8 Fedora Update System 2008-01-29 20:26:54 UTC
SDL_image-1.2.5-7.fc7 has been submitted as an update for Fedora 7

Comment 9 Tomas Hoger 2008-02-01 15:58:13 UTC
There are other apps / projects affected by this problem too, as this GIF
handling code that seem to have been originally written by David Koblas is used
in more or less modified form in many projects:

Already listed above:

SDL_image - to be fixed in 1.2.7
gd - fixed in 2.0.34

Other identified affected projects:

netpbm (giftopnm converter) - fixed in 10.27
tk - to be fixed in upcoming 8.5.1

Other affected projects identified by Raphaël Marichez of Gentoo:

sourcenav (http://sourcenav.sourceforge.net) (verified in v 5.1.4)
insight (http://sourceware.org/insight/) (verified in v 6.5)
TK Perl Module (http://search.cpan.org/~ni-s/) (verified in v 804.027)

perl-Tk is also shipped in Fedora.

Comment 10 Fedora Update System 2008-02-02 01:20:20 UTC
SDL_image-1.2.5-7.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2008-02-02 08:59:21 UTC
SDL_image-1.2.5-7.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Tomas Hoger 2008-02-02 17:32:10 UTC
Mitre has assigned CVE id CVE-2007-6697 to this issue as affecting SDL_image.

Comment 14 Red Hat Product Security 2008-04-24 11:15:16 UTC
This issue was addressed in:


Note You need to log in before you can comment on or make changes to this bug.