Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package giflib for openSUSE:Factory checked in at 2026-06-25 10:49:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/giflib (Old) and /work/SRC/openSUSE:Factory/.giflib.new.2088 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "giflib" Thu Jun 25 10:49:51 2026 rev:46 rq:1361498 version:5.2.2 Changes: -------- --- /work/SRC/openSUSE:Factory/giflib/giflib.changes 2026-03-12 22:22:12.654120468 +0100 +++ /work/SRC/openSUSE:Factory/.giflib.new.2088/giflib.changes 2026-06-25 10:51:31.745583335 +0200 @@ -1,0 +2,9 @@ +Wed Jun 24 00:00:38 UTC 2026 - Fridrich Strba <[email protected]> + +- Added patch: + * 0001-Fix-CVE-2026-26740-heap-OOB-write-in-EGifGCBToSavedE.patch + + fixing bsc#1259836 (CVE-2026-26740): heap out-of-bounds read + when processing a specially crafted GIF file containing a GCE + block with a truncated extension byte count + +------------------------------------------------------------------- New: ---- 0001-Fix-CVE-2026-26740-heap-OOB-write-in-EGifGCBToSavedE.patch ----------(New B)---------- New:- Added patch: * 0001-Fix-CVE-2026-26740-heap-OOB-write-in-EGifGCBToSavedE.patch + fixing bsc#1259836 (CVE-2026-26740): heap out-of-bounds read ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ giflib.spec ++++++ --- /var/tmp/diff_new_pack.ypXine/_old 2026-06-25 10:51:32.993626555 +0200 +++ /var/tmp/diff_new_pack.ypXine/_new 2026-06-25 10:51:33.001626833 +0200 @@ -32,6 +32,7 @@ Patch3: 0001-Clean-up-memory-better-at-end-of-run-CVE-2021-40633.patch Patch4: giflib-bsc1240416.patch Patch5: 0001-Avoid-potentuial-double-free-on-weird-images.patch +Patch6: 0001-Fix-CVE-2026-26740-heap-OOB-write-in-EGifGCBToSavedE.patch BuildRequires: fdupes BuildRequires: libtool >= 2 ++++++ 0001-Fix-CVE-2026-26740-heap-OOB-write-in-EGifGCBToSavedE.patch ++++++ >From 64e8cc926dc4e1c27e54f8c9da90982d8d3069e2 Mon Sep 17 00:00:00 2001 From: Anthony Hurtado <[email protected]> Date: Mon, 1 Jun 2026 15:40:48 -0500 Subject: [PATCH] Fix CVE-2026-26740: heap OOB write in EGifGCBToSavedExtension EGifGCBToSavedExtension calls EGifGCBToExtension which unconditionally writes 4 bytes into ep->Bytes without checking ep->ByteCount. If the extension block was allocated with fewer than 4 bytes, this results in a heap buffer overflow. The read-side counterpart DGifExtensionToGCB already validates that GifExtensionLength == 4 before reading. Add the symmetric check on the write side: return GIF_ERROR when ep->ByteCount < 4. Signed-off-by: Anthony Hurtado <[email protected]> --- egif_lib.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/egif_lib.c b/egif_lib.c index 1526868..8160560 100644 --- a/egif_lib.c +++ b/egif_lib.c @@ -678,6 +678,9 @@ int EGifGCBToSavedExtension(const GraphicsControlBlock *GCB, ExtensionBlock *ep = &GifFile->SavedImages[ImageIndex].ExtensionBlocks[i]; if (ep->Function == GRAPHICS_EXT_FUNC_CODE) { + if (ep->ByteCount < 4) { + return GIF_ERROR; + } EGifGCBToExtension(GCB, ep->Bytes); return GIF_OK; } -- 2.54.0
