First published: Mon Apr 11 2016(Updated: )
A heap buffer overflow vulnerability was found in giflib. A maliciously crafted gif file could cause the application to crash. External references: <a href="https://sourceforge.net/p/giflib/bugs/87/">https://sourceforge.net/p/giflib/bugs/87/</a> Upstream fix: <a href="https://sourceforge.net/p/giflib/code/ci/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88/">https://sourceforge.net/p/giflib/code/ci/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88/</a> References: <a href="http://bugs.fi/2016-03-gif2rgb.txt">http://bugs.fi/2016-03-gif2rgb.txt</a> <a href="http://bugs.fi/media/afl/giflib/1.gif">http://bugs.fi/media/afl/giflib/1.gif</a>
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
openSUSE openSUSE | =13.2 | |
GifLib Project GifLib | <=5.1.2 | |
debian/giflib | 5.1.9-2 5.2.1-2.5 5.2.2-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2016-3977 is a vulnerability in gif2rgb in giflib 5.1.2 that allows remote attackers to cause a denial of service (application crash) via a heap-based buffer overflow in the background color index in a GIF file.
The severity of CVE-2016-3977 is medium, with a severity rating of 5.5.
CVE-2016-3977 affects giflib versions 5.1.2 up to exclusive 5.1.4-2ubuntu0.1, 5.1.4-3, 5.1.4-3+deb10u1, 5.1.9-2, and 5.2.1-2.5.
To fix the CVE-2016-3977 vulnerability on Ubuntu, update the giflib package to version 5.1.4-2ubuntu0.1 or higher.
You can find more information about CVE-2016-3977 at the following references: [CVE-2016-3977](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3977), [Ubuntu Security Notice USN-4107-1](https://ubuntu.com/security/notices/USN-4107-1), [NVD Vulnerability Detail CVE-2016-3977](https://nvd.nist.gov/vuln/detail/CVE-2016-3977).