[pl] Fix other GIF decoder bug (similar to CVE-2007-6697)

Petr Pisar ppisar at fedoraproject.org
Mon Aug 22 13:19:44 UTC 2011 

commit ede36bfe3cb78782b8b32a05c1cccd2540bd3791
Author: Petr Písař <ppisar at redhat.com>
Date:   Mon Aug 22 15:18:30 2011 +0200

    Fix other GIF decoder bug (similar to CVE-2007-6697)
    
    http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7#c4

 pl.spec                           |    5 +++++
 xpce-gif-CVE-2007-6697-like.patch |   24 ++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 0 deletions(-)
---
diff --git a/pl.spec b/pl.spec
index de1aa79..c38041b 100644
--- a/pl.spec
+++ b/pl.spec
@@ -32,6 +32,8 @@ Patch5:     %{name}-5.10.2-FIXED-Bug-470-Using-export-dynamic-is-not-a-valid-gc.
 # Upstream bug #7, will be in 5.10.5, CVE-2011-2896, rhbz#727800
 Patch6:     xpce-gif-CVE-2011-2896-part_1.patch
 Patch7:     xpce-gif-CVE-2011-2896-part_2.patch
+# Upstream bug #7, comment 4, will be in 5.10.5
+Patch8:     xpce-gif-CVE-2007-6697-like.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 # Base
@@ -143,6 +145,7 @@ in Prolog.  In both setups it provides a reentrant bidirectional interface.
 cd packages/xpce
 %patch6 -p1 -b .CVE-2011-2896-part_1
 %patch7 -p1 -b .CVE-2011-2896-part_2
+%patch8 -p1 -b .CVE-2007-6697-like
 )
 (
    cd src
@@ -320,6 +323,8 @@ rm -rf $RPM_BUILD_ROOT
 * Fri Aug 19 2011 Petr Pisar <ppisar at redhat.com> - 5.10.2-4
 - Fix CVE-2011-2896 (David Koblas' GIF decoder LZW decoder buffer overflow)
   (bug #727800)
+- Fix other GIF decoder bug
+  (http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7#c4)
 
 * Thu Feb 10 2011 Petr Pisar <ppisar at redhat.com> - 5.10.2-3
 - Pass -export-dynamic to linker properly
diff --git a/xpce-gif-CVE-2007-6697-like.patch b/xpce-gif-CVE-2007-6697-like.patch
new file mode 100644
index 0000000..633799e
--- /dev/null
+++ b/xpce-gif-CVE-2007-6697-like.patch
@@ -0,0 +1,24 @@
+From: Jan Wielemaker <J.Wielemaker at cs.vu.nl>
+Date: Thu, 18 Aug 2011 18:48:18 +0000 (+0200)
+Subject: SECURITY: Bug#7: Fix CVE-2007-6697
+X-Git-Url: http://www.swi-prolog.org/packages/xpce.git/commitdiff_plain/785efb7b94d28c7dbb5b4f2b6f5a908092cf7652
+
+SECURITY: Bug#7: Fix CVE-2007-6697
+
+The test image https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6697
+in provides an illegal `input_code_size'.
+---
+
+diff --git a/src/img/gifread.c b/src/img/gifread.c
+index 3b8a743..ecffccb 100644
+--- a/src/img/gifread.c
++++ b/src/img/gifread.c
+@@ -555,7 +555,7 @@ ReadImage(IOSTREAM *fd,
+   int xpos = 0, ypos = 0, pass = 0;
+   long curidx;
+ 
+-  if (!ReadOK(fd, &c, 1))
++  if ( !ReadOK(fd, &c, 1) || c > MAX_LZW_BITS )
+   { return GIF_INVALID;
+   }
+   if (LZWReadByte(fd, TRUE, c) < 0)

More information about the scm-commits mailing list