On Mon, 25 May 2009 13:43:08 -0600 Jake Edge <jake(a)lwn.net> wrote:
I don't know much about CVE assignment and the like (but perhaps
should), but it would seem to me that the two CVEs from 2005 apply to
libungif rather than giflib and that new CVEs should be created or
applied for as it is a different package affected (though I assume
they share much of the same code) ...
If the affected code is re-used in multiple projects, the same CVE id
is used to refer to the flaw in all projects that contain shared code
(for examples, think of flaws in xpdf source code that usually need to
be fixed in xpdf, poppler, cups, for older distros also kdegraphics,
gpdf, ...; or mozilla flaws fixed in firefox, seamonkey, thunderbird).
While it's not quite obvious, libungif and giflib do not really seem to
be different projects. I have not tried to track down all its
history, but diffing their sources, the only real difference in 4.1.3
was that giflib supported LZW encoding and libungif did not. Excluding
Makefile / configure / README differences, this boils down to about 200
lines of unified diff.
it would also seem plausible that other distributions using giflib
fell into the same hole ... or is this purely a Fedora/RHEL issue
because they stuck with giflib 4.1.3?
Following upstream releases more closely, this could have been fixed
quite some time ago.
Tomas Hoger / Red Hat Security Response Team