Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package giflib for openSUSE:Factory checked 
in at 2026-06-25 10:49:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/giflib (Old)
 and      /work/SRC/openSUSE:Factory/.giflib.new.2088 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "giflib"

Thu Jun 25 10:49:51 2026 rev:46 rq:1361498 version:5.2.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/giflib/giflib.changes    2026-03-12 
22:22:12.654120468 +0100
+++ /work/SRC/openSUSE:Factory/.giflib.new.2088/giflib.changes  2026-06-25 
10:51:31.745583335 +0200
@@ -1,0 +2,9 @@
+Wed Jun 24 00:00:38 UTC 2026 - Fridrich Strba <[email protected]>
+
+- Added patch:
+  * 0001-Fix-CVE-2026-26740-heap-OOB-write-in-EGifGCBToSavedE.patch
+    + fixing bsc#1259836 (CVE-2026-26740): heap out-of-bounds read
+      when processing a specially crafted GIF file containing a GCE
+      block with a truncated extension byte count
+
+-------------------------------------------------------------------

New:
----
  0001-Fix-CVE-2026-26740-heap-OOB-write-in-EGifGCBToSavedE.patch

----------(New B)----------
  New:- Added patch:
  * 0001-Fix-CVE-2026-26740-heap-OOB-write-in-EGifGCBToSavedE.patch
    + fixing bsc#1259836 (CVE-2026-26740): heap out-of-bounds read
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ giflib.spec ++++++
--- /var/tmp/diff_new_pack.ypXine/_old  2026-06-25 10:51:32.993626555 +0200
+++ /var/tmp/diff_new_pack.ypXine/_new  2026-06-25 10:51:33.001626833 +0200
@@ -32,6 +32,7 @@
 Patch3:         0001-Clean-up-memory-better-at-end-of-run-CVE-2021-40633.patch
 Patch4:         giflib-bsc1240416.patch
 Patch5:         0001-Avoid-potentuial-double-free-on-weird-images.patch
+Patch6:         0001-Fix-CVE-2026-26740-heap-OOB-write-in-EGifGCBToSavedE.patch
 BuildRequires:  fdupes
 BuildRequires:  libtool >= 2
 

++++++ 0001-Fix-CVE-2026-26740-heap-OOB-write-in-EGifGCBToSavedE.patch ++++++
>From 64e8cc926dc4e1c27e54f8c9da90982d8d3069e2 Mon Sep 17 00:00:00 2001
From: Anthony Hurtado <[email protected]>
Date: Mon, 1 Jun 2026 15:40:48 -0500
Subject: [PATCH] Fix CVE-2026-26740: heap OOB write in EGifGCBToSavedExtension

EGifGCBToSavedExtension calls EGifGCBToExtension which unconditionally
writes 4 bytes into ep->Bytes without checking ep->ByteCount.  If the
extension block was allocated with fewer than 4 bytes, this results in
a heap buffer overflow.

The read-side counterpart DGifExtensionToGCB already validates that
GifExtensionLength == 4 before reading.  Add the symmetric check on
the write side: return GIF_ERROR when ep->ByteCount < 4.

Signed-off-by: Anthony Hurtado <[email protected]>
---
 egif_lib.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/egif_lib.c b/egif_lib.c
index 1526868..8160560 100644
--- a/egif_lib.c
+++ b/egif_lib.c
@@ -678,6 +678,9 @@ int EGifGCBToSavedExtension(const GraphicsControlBlock *GCB,
                ExtensionBlock *ep =
                    &GifFile->SavedImages[ImageIndex].ExtensionBlocks[i];
                if (ep->Function == GRAPHICS_EXT_FUNC_CODE) {
+                       if (ep->ByteCount < 4) {
+                               return GIF_ERROR;
+                       }
                        EGifGCBToExtension(GCB, ep->Bytes);
                        return GIF_OK;
                }
-- 
2.54.0

Reply via email to