Bug 430100 - (CVE-2007-6697) CVE-2007-6697 SDL_image: GIF handling buffer overflow
CVE-2007-6697 SDL_image: GIF handling buffer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=bugtraq,reported=20080123,publ...
: Reopened, Security
Depends On: 430238 430239 430241
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-24 10:14 EST by Tomas Hoger
Modified: 2008-04-24 07:15 EDT (History)
5 users (show)

See Also:
Fixed In Version: 1.2.5-7.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-24 07:15:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Reproducer from the advisory (821 bytes, image/gif)
2008-01-24 10:23 EST, Tomas Hoger
no flags Details

  None (edit)
Description Tomas Hoger 2008-01-24 10:14:11 EST
Input validation flaw was discovered in the SDL_image image handling library. 
Value read from the Gif file is not properly validated against the buffer size
and can cause a buffer overflow.

More details about this issue can be found here:

http://marc.info/?l=bugtraq&m=120110205511630&w=4

Advisory states new upstream version 1.2.7 should be released soon addressing
this flaw.

Relevant upstream SVN commit seems to be:
http://www.libsdl.org/cgi/viewvc.cgi/trunk/SDL_image/IMG_gif.c?r1=3462&r2=3461&pathrev=3462
Comment 1 Tomas Hoger 2008-01-24 10:23:56 EST
Created attachment 292800 [details]
Reproducer from the advisory
Comment 3 Tomas Hoger 2008-01-24 12:40:07 EST
This seems to be the same issue as CVE-2006-4484 (reported for gd embedded in
php sources back in 2006):

Buffer overflow in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the
GD extension in PHP before 5.1.5 allows remote attackers to have an unknown
impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which
triggers an overflow when initializing the table array.

GD/PHP CVS commit:
http://cvs.php.net/viewcvs.cgi/gd/libgd/src/gd_gif_in.c?r1=1.3&r2=1.4

Seems to be included in upstream gd as of version 2.0.34.
Comment 4 Brian Pepple 2008-01-24 18:20:55 EST
Hey Tomas, should this bug still be filed against SDL_image, or should I open a
new bug against it?
Comment 5 Tomas Hoger 2008-01-25 08:23:46 EST
Brian, our process is to file security bugs against 'Security Response' product
and make "tracking bugs" for affected product versions (current versions of
Fedora, Red Hat Enterprise Linux, Red Hat layered products).  Technically, you
do not need Fedora bugs against SDL_image component in any specific Fedora
version, but we usually create them to make tracking of the issue easier.
Comment 8 Fedora Update System 2008-01-29 15:26:54 EST
SDL_image-1.2.5-7.fc7 has been submitted as an update for Fedora 7
Comment 9 Tomas Hoger 2008-02-01 10:58:13 EST
There are other apps / projects affected by this problem too, as this GIF
handling code that seem to have been originally written by David Koblas is used
in more or less modified form in many projects:

Already listed above:

SDL_image - to be fixed in 1.2.7
gd - fixed in 2.0.34

Other identified affected projects:

netpbm (giftopnm converter) - fixed in 10.27
tk - to be fixed in upcoming 8.5.1

Other affected projects identified by Raphaël Marichez of Gentoo:

sourcenav (http://sourcenav.sourceforge.net) (verified in v 5.1.4)
insight (http://sourceware.org/insight/) (verified in v 6.5)
TK Perl Module (http://search.cpan.org/~ni-s/) (verified in v 804.027)

perl-Tk is also shipped in Fedora.
Comment 10 Fedora Update System 2008-02-01 20:20:20 EST
SDL_image-1.2.5-7.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-02-02 03:59:21 EST
SDL_image-1.2.5-7.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Tomas Hoger 2008-02-02 12:32:10 EST
Mitre has assigned CVE id CVE-2007-6697 to this issue as affecting SDL_image.
Comment 14 Red Hat Product Security 2008-04-24 07:15:16 EDT
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1231
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-1208


Note You need to log in before you can comment on or make changes to this bug.