Debian Security Advisory

DLA-3223-1 giflib -- LTS security update

Date Reported:
05 Dec 2022
Affected Packages:
giflib
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 904114.
In Mitre's CVE dictionary: CVE-2018-11490, CVE-2019-15133.
More information:

This update fixes two file format vulnerabilities in giflib.

  • CVE-2018-11490

    The

    DGifDecompressLine
    function in
    dgif_lib.c
    , as later shipped in
    cgif.c
    in sam2p 0.49.4, has a heap-based buffer overflow because a certain "
    Private->RunningCode - 2
    " array index is not checked. This will lead to a denial of service or possibly unspecified other impact.

  • CVE-2019-15133

    A malformed GIF file triggers a divide-by-zero exception in the decoder function

    DGifSlurp
    in
    dgif_lib.c
    if the
    height
    field of the
    ImageSize
    data structure is equal to zero.

For Debian 10 buster, these problems have been fixed in version 5.1.4-3+deb10u1.

We recommend that you upgrade your giflib packages.

For the detailed security status of giflib please refer to its security tracker page at: https://security-tracker.debian.org/tracker/giflib

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS