963800 – (CVE-2014-9763) VUL-1: CVE-2014-9763: imlib2: Division-by-zero crashes when opening images

Bug 963800 (CVE-2014-9763) - VUL-1: CVE-2014-9763: imlib2: Division-by-zero crashes when opening images

Summary: VUL-1: CVE-2014-9763: imlib2: Division-by-zero crashes when opening images

Status:	RESOLVED FIXED

Alias:	CVE-2014-9763

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/161232/
Whiteboard:	CVSSv2:SUSE:CVE-2014-9762:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-01-27 14:52 UTC by Johannes Segitz
Modified:	2020-03-18 18:15 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-01-27 14:52:07 UTC

https://git.enlightenment.org/legacy/imlib2.git/commit/?h=v1.4.7&id=c21beaf1780cf3ca291735ae7d58a3dde63277a2
Prevent division-by-zero crashes

Use CVE-2014-9763.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1301614
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9763
http://seclists.org/oss-sec/2016/q1/182
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9763.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9763

Comment 1 Swamp Workflow Management 2016-01-28 23:02:07 UTC

bugbot adjusting priority

Comment 2 Simon Lees 2016-04-03 04:33:56 UTC

These issues CVE-2014-9763 CVE-2014-9764 CVE-2014-9762 are all related to handling with giflib they also effect efl/evas in openSUSE (All supported releases). Upstream also recommends updating to 5.1.4 of giflib. I'm happy to do the imlib2 / evas fixes. 

Original bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785369

giflib bug report: https://sourceforge.net/p/giflib/bugs/94/
giflib fix: https://sourceforge.net/p/giflib/code/ci/cb88511b50621233ae93858ba38f004726d1bc5d/

evas / efl upstream fix commits:
dd90b6afadf706aafec9e53a6b1efa8f899ab277
f56e33f429cfc165a5a7e7c75c5b2271ba8b58d8

Upstream Mailing list threads (don't ask why there are 4):
https://www.mail-archive.com/enlightenment-devel@lists.sourceforge.net/msg80456.html
https://www.mail-archive.com/enlightenment-devel@lists.sourceforge.net/msg80454.html
https://www.mail-archive.com/enlightenment-devel@lists.sourceforge.net/msg80444.html

Comment 3 Simon Lees 2016-04-03 22:38:57 UTC

My mistake, the issues I raised seem new, I'll create a new ticket but fix these at the same time.

Comment 6 Swamp Workflow Management 2016-05-18 12:12:56 UTC

openSUSE-SU-2016:1330-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 963796,963797,963800,973759,973761,974202,974854,975703
CVE References: CVE-2011-5326,CVE-2014-9762,CVE-2014-9763,CVE-2014-9764,CVE-2014-9771,CVE-2016-3993,CVE-2016-3994,CVE-2016-4024
Sources used:
openSUSE 13.2 (src):    imlib2-1.4.9-17.4.1

Comment 7 Swamp Workflow Management 2016-06-03 11:08:44 UTC

SUSE-SU-2016:1481-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 963797,963800,973759,973761,974202,977538
CVE References: CVE-2011-5326,CVE-2014-9763,CVE-2014-9764,CVE-2016-3993,CVE-2016-3994
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    imlib2-1.4.2-2.20.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    imlib2-1.4.2-2.20.1

Comment 8 Marcus Meissner 2017-06-15 21:29:47 UTC

released