Debian 10263 Published by

A giflib security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address two file format vulnerabilities.



ELA-751-1 giflib security update

Package : giflib
Version : 4.1.6-11+deb8u2 (jessie), 5.1.4-0.4+deb9u1 (stretch)

Related CVEs :
CVE-2016-3977
CVE-2018-11490
CVE-2019-15133

This update fixes two file format vulnerabilities in giflib and one in the gif2rgb utility.

CVE-2016-3977
Heap-based buffer overflow in util/gif2rgb.c in gif2rgb allows remote attackers to cause a denial of service (application crash) via the background color index in a GIF file

CVE-2018-11490
The DGifDecompressLine function in dgif_lib.c, as later shipped in cgif.c in sam2p 0.49.4, has a heap-based buffer overflow because a certain "Private->RunningCode - 2" array index is not checked. This will lead to a denial of service or possibly unspecified other impact.

CVE-2019-15133
A malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.

  ELA-751-1 giflib security update