CVE-2016-3977

Published: 21 April 2016

Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in giflib 5.1.2 allows remote attackers to cause a denial of service (application crash) via the background color index in a GIF file.

Priority

Low

CVSS 3 base score: 5.5

Status

Package Release Status
giflib
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver)
Released (5.1.4-2ubuntu0.1)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(5.1.4-0.3)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: https://sourceforge.net/p/giflib/code/ci/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88/

Notes

AuthorNote
sbeattie
out of bounds read
mdeslaur
looks like this was fixed in 5.1.4-0.3 but then the patch got
dropped again in 5.1.4-0.4 although it's still needed, contrary
to the note in the changelog

References

Bugs