Reinhard Max discovered a buffer overflow flaw in the way Tk's GIF processor handles an interlaced GIF with two frames. It is possible to overflow a buffer if the second frame is smaller than the first. The fix can be found here: http://tktoolkit.cvs.sourceforge.net/tktoolkit/tk/generic/tkImgGIF.c?r1=1.36&r2=1.37
I've searched the RHEL codebase for the tk code that uses the -index option with GIF images. I couldn't find any. Thomas Biege from Suse says this is an undocumented feature of Tk. We are assigning this flaw with low severity.
Fixed in devel. If fix is needed for other version, please open the bug.
Original CVE id CVE-2007-4851 was rejected as duplicate of CVE-2007-5137: Buffer overflow in the ReadImage function in generic/tkImgGIF.c in Tcl (Tcl/Tk) before 8.4.16 allows remote attackers to execute arbitrary code via multi-frame interlaced GIF files in which later frames are smaller than the first. References: http://secunia.com/advisories/26942 http://sourceforge.net/project/shownotes.php?release_id=541207 http://www.securityfocus.com/bid/25826 Marcela, please update RPM changelog when doing next update of tk in Fedora, as original CVE id was used there. Thanks!
Further analysis by Jamie Strandboge yielded following results: This issue was introduced by fix for SF.net bug report: https://sourceforge.net/tracker/?func=detail&atid=112997&aid=1458234&group_id=12997 Issue only affects tk 8.4.13 - 8.4.15. Affected versions are shipped in Red Hat Enterprise Linux 5, Fedora Core 6 and Fedora 7.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0136.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2564