CESA-2005-007 - rev 1

[See all my vulnerabilities at http://scary.beasts.org/security]

libungif / libgif GIF decompression vulnerabilities
===================================================

Programs affected: libungif, libgif
Severity: Possible arbitrary code execution.
Vendor fixed date: Oct 18th, 2005
Fixed: v4.1.4
CVE identifier(s): CVE-2005-2974, CVE-2005-3350

Credit to Daniel Eisenbud who independently discovered and fixed this issue.

The following GIFs, produced by fuzzing, were observed to crash libungif:

Demo GIFs: http://scary.beasts.org/misc/bad1.gif
           http://scary.beasts.org/misc/bad2.gif
           http://scary.beasts.org/misc/bad3.gif

bad1.gif triggered a NULL pointer dereference.
bad2.gif and bad3.gif trigger out-of-bounds memory accesses, one of which
is an out-of-bounds write access and hence serious.

No source code analysis was performed; this was a black-box only exercise.

CESA-2005-007 - rev 1
Chris Evans
scarybeasts@gmail.com