#21574 closed enhancement (fixed)
Fix CVE-2025-31344 in giflib
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.4 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
While scanning through my email, I noticed another distribution did an update to giflib, and I ran into it earlier while working on a project. It looks like a heap buffer overflow in the gif2rgb utility.
The patch can be found from OpenMandriva at https://github.com/OpenMandrivaAssociation/giflib/commit/bac0c2a8513260bda83df96a16dc6b2082b16557
More details about the vulnerability can be found at https://github.com/advisories/GHSA-4764-r75x-h867
Even though the vulnerability is rated as High, I'm going to mark the ticket as Elevated because it's in a utility rather than the library.
Change History (5)
comment:1 by , 9 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 9 months ago
comment:3 by , 9 months ago
I'm really hoping this gets sorted out in a more conclusive way in the future, since it seems upstream has abandoned giflib (even though it's used all over)
comment:4 by , 9 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
It looks like there are 4 CVE's in giflib. See: https://github.com/openwrt/packages/issues/26277
According to his research and testing he thinks they are all the same issue.