Bug#1140102: trixie-pu: package giflib/5.2.2-1+deb13u1

Mon, 15 Jun 2026 13:37:23 -0700 

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:giflib
User: [email protected]
Usertags: pu

Fixes two low security security issues, which don't warrant a DSA. All tests
in debusine were fine, debdiff below.

Cheers,
        Moritz
        
diff -Nru giflib-5.2.2/debian/changelog giflib-5.2.2/debian/changelog
--- giflib-5.2.2/debian/changelog       2024-02-25 18:44:51.000000000 +0100
+++ giflib-5.2.2/debian/changelog       2026-06-13 17:19:16.000000000 +0200
@@ -1,3 +1,10 @@
+giflib (5.2.2-1+deb13u1) trixie; urgency=medium
+
+  * CVE-2026-23868 (Closes: #1130495) 
+  * CVE-2026-26740 (Closes: #1131368)
+
+ -- Moritz Mühlenhoff <[email protected]>  Sat, 13 Jun 2026 17:19:16 +0200
+
 giflib (5.2.2-1) unstable; urgency=medium
 
   [ Debian Janitor]
diff -Nru giflib-5.2.2/debian/patches/CVE-2026-23868.patch 
giflib-5.2.2/debian/patches/CVE-2026-23868.patch
--- giflib-5.2.2/debian/patches/CVE-2026-23868.patch    1970-01-01 
01:00:00.000000000 +0100
+++ giflib-5.2.2/debian/patches/CVE-2026-23868.patch    2026-06-13 
17:17:46.000000000 +0200
@@ -0,0 +1,21 @@
+commit f5b7267aed3665ef025c13823e454170d031c106
+Author: Eric S. Raymond <[email protected]>
+Date:   Wed Mar 4 18:49:49 2026 -0500
+
+--- giflib-5.2.2.orig/gifalloc.c
++++ giflib-5.2.2/gifalloc.c
+@@ -349,6 +349,14 @@ SavedImage *GifMakeSavedImage(GifFileTyp
+                        * aliasing problems.
+                        */
+ 
++                      /* Null out aliased pointers before any allocations
++                       * so that FreeLastSavedImage won't free CopyFrom's
++                       * data if an allocation fails partway through. */
++                      sp->ImageDesc.ColorMap = NULL;
++                      sp->RasterBits = NULL;
++                      sp->ExtensionBlocks = NULL;
++                      sp->ExtensionBlockCount = 0;
++ 
+                       /* first, the local color map */
+                       if (CopyFrom->ImageDesc.ColorMap != NULL) {
+                               sp->ImageDesc.ColorMap = GifMakeMapObject(
diff -Nru giflib-5.2.2/debian/patches/CVE-2026-26740.patch 
giflib-5.2.2/debian/patches/CVE-2026-26740.patch
--- giflib-5.2.2/debian/patches/CVE-2026-26740.patch    1970-01-01 
01:00:00.000000000 +0100
+++ giflib-5.2.2/debian/patches/CVE-2026-26740.patch    2026-06-13 
17:19:11.000000000 +0200
@@ -0,0 +1,48 @@
+From a3a600aa97c24734dde0b0951542488095f38ad4 Mon Sep 17 00:00:00 2001
+From: rootvector2 <[email protected]>
+Date: Sat, 16 May 2026 00:41:28 +0530
+Subject: [PATCH] Fix heap buffer overflow in EGifGCBToSavedExtension
+
+EGifGCBToExtension() unconditionally writes 4 bytes into the buffer
+passed to it, but EGifGCBToSavedExtension() invoked it on ep->Bytes
+without checking ep->ByteCount.  DGifSlurp() preserves whatever
+sub-block size the source GIF declared when it stores extension
+blocks, so a malformed GIF whose Graphics Control Extension declares
+a sub-block size less than 4 leaves a saved extension shorter than
+the 4 bytes EGifGCBToExtension() then writes.  Tools that round-trip
+a GIF through DGifSlurp() and EGifGCBToSavedExtension() (for example
+giftool -d, -t, -u and -x) corrupt the heap on such input.
+
+Resize the existing extension to exactly 4 bytes before writing,
+matching the invariant DGifExtensionToGCB() enforces on the read side.
+
+Reproduced under AddressSanitizer with a 40-byte crafted GIF whose
+Graphics Control Extension declares a 1-byte sub-block; giftool -d
+then triggers a 1-byte heap write past the end of the ep->Bytes
+allocation made in GifAddExtensionBlock().
+---
+ egif_lib.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- giflib-5.2.2.orig/egif_lib.c
++++ giflib-5.2.2/egif_lib.c
+@@ -678,6 +678,19 @@ int EGifGCBToSavedExtension(const Graphi
+               ExtensionBlock *ep =
+                   &GifFile->SavedImages[ImageIndex].ExtensionBlocks[i];
+               if (ep->Function == GRAPHICS_EXT_FUNC_CODE) {
++                      /* A Graphics Control Block is always 4 bytes.  If
++                       * the existing block came from a malformed GIF and
++                       * is shorter, resize it so EGifGCBToExtension does
++                       * not write past the end of ep->Bytes. */
++                      if (ep->ByteCount != 4) {
++                              GifByteType *new_bytes =
++                                  (GifByteType *)realloc(ep->Bytes, 4);
++                              if (new_bytes == NULL) {
++                                      return GIF_ERROR;
++                              }
++                              ep->Bytes = new_bytes;
++                              ep->ByteCount = 4;
++                      }
+                       EGifGCBToExtension(GCB, ep->Bytes);
+                       return GIF_OK;
+               }
diff -Nru giflib-5.2.2/debian/patches/series giflib-5.2.2/debian/patches/series
--- giflib-5.2.2/debian/patches/series  2024-02-25 18:29:30.000000000 +0100
+++ giflib-5.2.2/debian/patches/series  2026-06-13 17:18:11.000000000 +0200
@@ -5,3 +5,5 @@
 dont-spoil-tests-with-stderr.patch
 giflib_quantize-header.patch
 Clean-up-memory-better-at-end-of-run-CVE-2021-40633.patch
+CVE-2026-23868.patch
+CVE-2026-26740.patch

Reply via email to