Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <543-67f42c80-17-5396a400@98757176>
Date: Mon, 07 Apr 2025 21:50:30 +0200
From: Bernhard Rosenkränzer <bero@...dev.ch>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer 
 overflow vulnerability.

On Monday, April 07, 2025 15:15 CEST, 李亚杰 <liyajie@...neuler.sh> wrote:

> Affected Versions:
> - giflib 5.2.2 and below
> 
> Description:
> In the function DumpScreen2RGB of the giflib software, an attempt is made to access the color map through ColorMapEntry.
> The size of ColorMap is 6 bytes (from 0x602000000030 to 0x602000000036). However, when accessing
> ColorMap->Colors[GifRow[j]], the value of GifRow[j] exceeds the actual number of colors stored.

Thanks for the disclosure. Since there doesn't seem to be a proposed patch yet, here's mine:
https://github.com/OpenMandrivaAssociation/giflib/blob/master/giflib-5.2.2-cve-2025-31344.patch

ttyl
bero

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.