DescriptionAn issue was discovered in giflib through 5.1.4. DumpScreen2RGB in gif2rgb.c has a heap-based buffer over-read.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs988151

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
giflib (PTS)buster5.1.4-3vulnerable
buster (security)5.1.4-3+deb10u1vulnerable
bookworm, sid, trixie5.2.1-2.5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Specific to gif2rgb. Crash in CLI tool, no security impact
Reproducer does not trigger using giflib 5.2.1-2.5 with asan or valgrind.

Search for package or bug name: Reporting problems