963796 – (CVE-2014-9762) VUL-1: CVE-2014-9762: imlib2: Segmentation fault on images without colormap

Bug 963796 (CVE-2014-9762) - VUL-1: CVE-2014-9762: imlib2: Segmentation fault on images without colormap

Summary: VUL-1: CVE-2014-9762: imlib2: Segmentation fault on images without colormap

Status:	RESOLVED FIXED

Alias:	CVE-2014-9762

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/161231/
Whiteboard:	CVSSv2:SUSE:CVE-2014-9762:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-01-27 14:29 UTC by Johannes Segitz
Modified:	2020-06-18 02:31 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-01-27 14:29:33 UTC

https://git.enlightenment.org/legacy/imlib2.git/commit/?h=v1.4.7&id=39641e74a560982fbf93f29bf96b37d27803cb56
GIF loader: Fix segv on images without colormap.

Use CVE-2014-9762.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1301614
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9762
http://seclists.org/oss-sec/2016/q1/182
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9762.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9762

Comment 1 Swamp Workflow Management 2016-01-28 23:01:47 UTC

bugbot adjusting priority

Comment 2 Simon Lees 2016-04-03 04:34:22 UTC

These issues CVE-2014-9763 CVE-2014-9764 CVE-2014-9762 are all related to handling with giflib they also effect efl/evas in openSUSE (All supported releases). Upstream also recommends updating to 5.1.4 of giflib. I'm happy to do the imlib2 / evas fixes. 

Original bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785369

giflib bug report: https://sourceforge.net/p/giflib/bugs/94/
giflib fix: https://sourceforge.net/p/giflib/code/ci/cb88511b50621233ae93858ba38f004726d1bc5d/

evas / efl upstream fix commits:
dd90b6afadf706aafec9e53a6b1efa8f899ab277
f56e33f429cfc165a5a7e7c75c5b2271ba8b58d8

Upstream Mailing list threads (don't ask why there are 4):
https://www.mail-archive.com/enlightenment-devel@lists.sourceforge.net/msg80456.html
https://www.mail-archive.com/enlightenment-devel@lists.sourceforge.net/msg80454.html
https://www.mail-archive.com/enlightenment-devel@lists.sourceforge.net/msg80444.html

Comment 3 Simon Lees 2016-04-03 22:38:49 UTC

My mistake, the issues I raised seem new, I'll create a new ticket but fix these at the same time.

Comment 4 Simon Lees 2016-04-04 00:58:17 UTC

This issue also effects evas as part of the efl in openSUSE.

Fix: https://git.enlightenment.org/core/efl.git/commit/?id=dd90b6afadf706aafec9e53a6b1efa8f899ab277

Comment 5 Simon Lees 2016-04-04 01:42:15 UTC

The series of patches in bsc#973759 supersedes and reverts this patch. As such no action is required in SLE (the evas patch still needs to be applied in openSUSE)

Comment 6 Swamp Workflow Management 2016-05-18 12:12:27 UTC

openSUSE-SU-2016:1330-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 963796,963797,963800,973759,973761,974202,974854,975703
CVE References: CVE-2011-5326,CVE-2014-9762,CVE-2014-9763,CVE-2014-9764,CVE-2014-9771,CVE-2016-3993,CVE-2016-3994,CVE-2016-4024
Sources used:
openSUSE 13.2 (src):    imlib2-1.4.9-17.4.1

Comment 7 Marcus Meissner 2017-06-15 21:29:34 UTC

released

Comment 8 Swamp Workflow Management 2018-03-27 23:40:26 UTC

This is an autogenerated message for OBS integration:
This bug (963796) was mentioned in
https://build.opensuse.org/request/show/591766 15.0 / efl