CVE-2011-2896

Name	CVE-2011-2896
Description	The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-2354-1, DSA-2426-1
Debian Bugs	643753

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
cups (PTS)	buster	2.2.10-6+deb10u6	fixed
	buster (security)	2.2.10-6+deb10u9	fixed
	bullseye	2.3.3op2-3+deb11u6	fixed
	bullseye (security)	2.3.3op2-3+deb11u2	fixed
	bookworm	2.4.2-3+deb12u4	fixed
	sid, trixie	2.4.7-1	fixed
gimp (PTS)	buster	2.10.8-2	fixed
	buster (security)	2.10.8-2+deb10u1	fixed
	bullseye	2.10.22-4	fixed
	bullseye (security)	2.10.22-4+deb11u1	fixed
	bookworm	2.10.34-1	fixed
	bookworm (security)	2.10.34-1+deb12u1	fixed
	trixie	2.10.36-1	fixed
	sid	2.10.36-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
cups	source	lenny	1.3.8-1+lenny10		DSA-2354-1
cups	source	squeeze	1.4.4-7+squeeze1		DSA-2354-1
cups	source	(unstable)	1.5.0-8
gimp	source	squeeze	2.6.10-1+squeeze3		DSA-2426-1
gimp	source	(unstable)	2.6.11-5			643753