[{"id":3682104,"web_url":"http://patchwork.ozlabs.org/comment/3682104/","msgid":"<20260424162636.160866-1-thomas.perale@mind.be>","list_archive_url":null,"date":"2026-04-24T16:26:36","subject":"Re: [Buildroot] [PATCH 2025.02.x] package/giflib: patch\n CVE-2021-40633, CVE-2025-31344, CVE-2026-23868","submitter":{"id":87308,"url":"http://patchwork.ozlabs.org/api/people/87308/","name":"Thomas Perale","email":"thomas.perale@mind.be"},"content":"In reply of:\n> Fixes the following vulnerabilities:\n> \n> - CVE-2021-40633:\n>     A memory leak (out-of-memory) in gif2rgb in util/gif2rgb.c in giflib\n>     5.1.4 allows remote attackers trigger an out of memory exception or\n>     denial of service via a gif format file.\n> \n> For more information, see:\n>   - https://www.cve.org/CVERecord?id=CVE-2021-40633\n>   - https://sourceforge.net/p/giflib/code/ci/ccbc956432650734c91acb3fc88837f7b81267ff/\n> \n> - CVE-2025-31344:\n>     Heap-based Buffer Overflow vulnerability in openEuler giflib on Linux.\n>     This vulnerability is associated with program files gif2rgb.C.  This\n>     issue affects giflib: through 5.2.2.\n> \n> For more information, see:\n>   - https://www.cve.org/CVERecord?id=CVE-2025-31344\n>   - https://sourceforge.net/p/giflib/code/ci/7bbe8ea1a595bb7509ffa0a86b076e9b720e85af\n> \n> - CVE-2026-23868:\n>     Giflib contains a double-free vulnerability that is the result of a\n>     shallow copy in GifMakeSavedImage and incorrect error handling. The\n>     conditions needed to trigger this vulnerability are difficult but may\n>     be possible.\n> \n> For more information, see:\n>   - https://www.cve.org/CVERecord?id=CVE-2026-23868\n>   - https://sourceforge.net/p/giflib/code/ci/f5b7267aed3665ef025c13823e454170d031c106\n> \n> This package is still vulnerable to CVE-2024-45993 [1] & CVE-2026-26740\n> [2] that doesn't have a documented fix yet.\n> \n> [1] https://security-tracker.debian.org/tracker/CVE-2024-45993\n> [2] https://security-tracker.debian.org/tracker/CVE-2026-26740\n> \n> Signed-off-by: Thomas Perale <thomas.perale@mind.be>\n\nApplied to 2025.02.x. Thanks\n\n> ---\n>  package/giflib/0003-CVE-2021-40633.patch | 24 ++++++++++++++++++++\n>  package/giflib/0004-CVE-2025-31344.patch | 26 +++++++++++++++++++++\n>  package/giflib/0005-CVE-2026-23868.patch | 29 ++++++++++++++++++++++++\n>  package/giflib/giflib.mk                 |  9 ++++++++\n>  4 files changed, 88 insertions(+)\n>  create mode 100644 package/giflib/0003-CVE-2021-40633.patch\n>  create mode 100644 package/giflib/0004-CVE-2025-31344.patch\n>  create mode 100644 package/giflib/0005-CVE-2026-23868.patch\n> \n> diff --git a/package/giflib/0003-CVE-2021-40633.patch b/package/giflib/0003-CVE-2021-40633.patch\n> new file mode 100644\n> index 0000000000..4e0070401e\n> --- /dev/null\n> +++ b/package/giflib/0003-CVE-2021-40633.patch\n> @@ -0,0 +1,24 @@\n> +commit ccbc956432650734c91acb3fc88837f7b81267ff\n> +Author: Eric S. Raymond <esr@thyrsus.com>\n> +Date:   Wed Feb 21 18:55:00 2024 -0500\n> +\n> +    Clean up memory better at end of run (CVE-2021-40633)\n> +\n> +CVE: CVE-2021-40633\n> +Upstream: https://sourceforge.net/p/giflib/code/ci/ccbc956432650734c91acb3fc88837f7b81267ff/\n> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>\n> +\n> +diff --git a/gif2rgb.c b/gif2rgb.c\n> +index d51226d..fc2e683 100644\n> +--- a/gif2rgb.c\n> ++++ b/gif2rgb.c\n> +@@ -525,6 +525,9 @@ static void GIF2RGB(int NumFiles, char *FileName, bool OneFileFlag,\n> + \tDumpScreen2RGB(OutFileName, OneFileFlag, ColorMap, ScreenBuffer,\n> + \t               GifFile->SWidth, GifFile->SHeight);\n> + \n> ++\tfor (i = 0; i < GifFile->SHeight; i++) {\n> ++        \t(void)free(ScreenBuffer[i]);\n> ++\t}\n> + \t(void)free(ScreenBuffer);\n> + \n> + \t{\n> diff --git a/package/giflib/0004-CVE-2025-31344.patch b/package/giflib/0004-CVE-2025-31344.patch\n> new file mode 100644\n> index 0000000000..2d74b526c4\n> --- /dev/null\n> +++ b/package/giflib/0004-CVE-2025-31344.patch\n> @@ -0,0 +1,26 @@\n> +commit 7bbe8ea1a595bb7509ffa0a86b076e9b720e85af\n> +Author: Eric S. Raymond <esr@thyrsus.com>\n> +Date:   Wed Feb 18 18:06:50 2026 -0500\n> +\n> +    Resolve SourceForge bug #187: CVE-2025-31344\n> +\n> +CVE: CVE-2025-31344\n> +Upstream: https://sourceforge.net/p/giflib/code/ci/7bbe8ea1a595bb7509ffa0a86b076e9b720e85af\n> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>\n> +\n> +diff --git a/gif2rgb.c b/gif2rgb.c\n> +index b80ebcd..da4fa23 100644\n> +--- a/gif2rgb.c\n> ++++ b/gif2rgb.c\n> +@@ -327,6 +327,11 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag,\n> + \t\t\tGifRow = ScreenBuffer[i];\n> + \t\t\tGifQprintf(\"\\b\\b\\b\\b%-4d\", ScreenHeight - i);\n> + \t\t\tfor (j = 0; j < ScreenWidth; j++) {\n> ++\t\t\t\t/* Check if color is within color palete */\n> ++\t\t\t\tif (GifRow[j] >= ColorMap->ColorCount) {\n> ++\t\t\t\t\tGIF_EXIT(GifErrorString(\n> ++\t\t\t\t\t    D_GIF_ERR_IMAGE_DEFECT));\n> ++\t\t\t\t}\n> + \t\t\t\tColorMapEntry = &ColorMap->Colors[GifRow[j]];\n> + \t\t\t\tBuffers[0][j] = ColorMapEntry->Red;\n> + \t\t\t\tBuffers[1][j] = ColorMapEntry->Green;\n> diff --git a/package/giflib/0005-CVE-2026-23868.patch b/package/giflib/0005-CVE-2026-23868.patch\n> new file mode 100644\n> index 0000000000..176325ef77\n> --- /dev/null\n> +++ b/package/giflib/0005-CVE-2026-23868.patch\n> @@ -0,0 +1,29 @@\n> +commit f5b7267aed3665ef025c13823e454170d031c106\n> +Author: Eric S. Raymond <esr@thyrsus.com>\n> +Date:   Wed Mar 4 18:49:49 2026 -0500\n> +\n> +    Avoid potentuial double-free on weird images.\n> +\n> +CVE: CVE-2026-23868\n> +Upstream: https://sourceforge.net/p/giflib/code/ci/f5b7267aed3665ef025c13823e454170d031c106\n> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>\n> +\n> +diff --git a/gifalloc.c b/gifalloc.c\n> +index 01a845d..ff70cb0 100644\n> +--- a/gifalloc.c\n> ++++ b/gifalloc.c\n> +@@ -349,6 +349,14 @@ SavedImage *GifMakeSavedImage(GifFileType *GifFile,\n> + \t\t\t * aliasing problems.\n> + \t\t\t */\n> + \n> ++\t\t\t/* Null out aliased pointers before any allocations\n> ++\t\t\t * so that FreeLastSavedImage won't free CopyFrom's\n> ++\t\t\t * data if an allocation fails partway through. */\n> ++\t\t\tsp->ImageDesc.ColorMap = NULL;\n> ++\t\t\tsp->RasterBits = NULL;\n> ++\t\t\tsp->ExtensionBlocks = NULL;\n> ++\t\t\tsp->ExtensionBlockCount = 0;\n> ++ \n> + \t\t\t/* first, the local color map */\n> + \t\t\tif (CopyFrom->ImageDesc.ColorMap != NULL) {\n> + \t\t\t\tsp->ImageDesc.ColorMap = GifMakeMapObject(\n> diff --git a/package/giflib/giflib.mk b/package/giflib/giflib.mk\n> index 00922ce2db..db9886342c 100644\n> --- a/package/giflib/giflib.mk\n> +++ b/package/giflib/giflib.mk\n> @@ -12,6 +12,15 @@ GIFLIB_LICENSE = MIT\n>  GIFLIB_LICENSE_FILES = COPYING\n>  GIFLIB_CPE_ID_VALID = YES\n>  \n> +# 0003-CVE-2021-40633.patch\n> +GIFLIB_IGNORE_CVES += CVE-2021-40633\n> +\n> +# 0004-CVE-2025-31344.patch\n> +GIFLIB_IGNORE_CVES += CVE-2025-31344\n> +\n> +# 0005-CVE-2026-23868.patch\n> +GIFLIB_IGNORE_CVES += CVE-2026-23868\n> +\n>  ifeq ($(BR2_STATIC_LIBS),y)\n>  GIFLIB_BUILD_LIBS = static-lib\n>  GIFLIB_INSTALL_LIBS = install-static-lib\n> -- \n> 2.53.0\n> \n> _______________________________________________\n> buildroot mailing list\n> buildroot@buildroot.org\n> https://lists.buildroot.org/mailman/listinfo/buildroot","headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=CJK5kBxc;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=140.211.166.137; helo=smtp4.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g2JJ64XLpz1y2d\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Sat, 25 Apr 2026 02:26:46 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id C5AAC42967;\n\tFri, 24 Apr 2026 16:26:44 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id rgK4enKJeZAC; Fri, 24 Apr 2026 16:26:43 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 9E43B4296D;\n\tFri, 24 Apr 2026 16:26:43 +0000 (UTC)","from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n by lists1.osuosl.org (Postfix) with ESMTP id 3B160194\n for <buildroot@buildroot.org>; Fri, 24 Apr 2026 16:26:41 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id 20E51429A4\n for <buildroot@buildroot.org>; Fri, 24 Apr 2026 16:26:41 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id vOkPXQWt6tgR for <buildroot@buildroot.org>;\n Fri, 24 Apr 2026 16:26:40 +0000 (UTC)","from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com\n [IPv6:2a00:1450:4864:20::42e])\n by smtp4.osuosl.org (Postfix) with ESMTPS id DC1C642958\n for <buildroot@buildroot.org>; Fri, 24 Apr 2026 16:26:39 +0000 (UTC)","by mail-wr1-x42e.google.com with SMTP id\n ffacd0b85a97d-43eada6d900so7829206f8f.0\n for <buildroot@buildroot.org>; Fri, 24 Apr 2026 09:26:39 -0700 (PDT)","from arch ([79.132.248.48]) by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-43fe4cc0f31sm60823329f8f.12.2026.04.24.09.26.36\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 24 Apr 2026 09:26:36 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp4.osuosl.org 9E43B4296D","OpenDKIM Filter v2.11.0 smtp4.osuosl.org DC1C642958"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1777048003;\n\tbh=ZodHymfXaImMR8yg0SYCh+4Ec3OtOINW0JDckx48TO8=;\n\th=To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From:Reply-To:From;\n\tb=CJK5kBxcxnFckf7hHYY+m+eIaOZWJaFwJdnrJtk0LPQevmrWHBi1DWOHy0orFW36L\n\t HiicozMd+D7WA4sIz+eJTOhNPrN3uIwfYNiGffzVxK+nBk0OI53047JNENBa+9+tDu\n\t F8BuNTnkVBfNEh+3f8i5GYHGzHJ482WLQWQkiyPq1K6HVY732Y2d2/1cK339Klw6Np\n\t cfdJpfFuvdDXtoEhvq97b54L3RxLXcANsXwjJfBOa4hIvq6zTYFmtDkeQXK20vTUJ8\n\t CxAsU4pk5obnvwfBuHM/N80It99lXw/QiV5M9MuAHZ/dCFLtPutliPDZuw7D57y8K0\n\t W20C6sMabhniA==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::42e; helo=mail-wr1-x42e.google.com;\n envelope-from=thomas.perale@essensium.com; receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp4.osuosl.org DC1C642958","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777047998; x=1777652798;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=MEI+P3nH/O/phf3AFKCEODJF8x2cDOPdLb/KtlAK4YY=;\n b=D5ud9SR8CFwDOzGDIK5kecfXYaTyxn4YXCUnExf5VOtdR3SZR5DOixMRf3TT2/blq0\n p25ZGACRMtzZVacWp7CvqT1QtfgoGH0AOYLc17/ayozEnms1pA5gyemF950JEzIQ7rl0\n YAoURGjU1qHmJq4+iJbRxNlON0xWJg+zbmfTFZFfEVkwU0Yk5ZArvM95pq6faoCveXwp\n W6GEUBQVcyBiG4txd2CR8M1qTFkT2Qfz/I0VmR4kH197CTLc2EdTKnJMFBeBqLkxOpwu\n cpWVePtU2PVL8Lwrq2qRZ+rSn5eeLWB5SjlQocjPI0J1dE3X9qtSF0gjITJuWiu7DSlh\n 4VLA==","X-Gm-Message-State":"AOJu0YzMs9JtkRcMAtO5kHx0zYafJBW7EIm+I0f+F87K+UKndeHaIfQh\n q9Dg36hSH8sQ8cws/irDHS79y8OLXqxMbsbQw4k2R7TXVmWtJ5BwUmTLmC+cYRPw0FUBDVmEw1U\n R5q2B","X-Gm-Gg":"AeBDietlHxuc+xcRKfy2zWbl3sZDi4oJiX9fyoLUx0qCz6Speg7ZXqsxDZceV5HB31m\n pLR2XqKKIE02/HfozAG0yJbMDWWB9ZomEcQ69PLsObAPicsrZ0HFUsL5tBB2IXn2JfS4OBvvGJ8\n KJ9K88pwsCAcyNDUllMBiFMDXlHfhrAqjL2beJ7Y9lqnE9E8jUXll+gBAeB7q+IvNn7wpPwoqy/\n 25zDlNDS2RW5NxkKcKO0Yfl/o69t8bnKHW86XDESfbLABeXfsnwBozmTocbJ+no7nHHkg+izLIr\n dZ+ipMvnK9HquM01WT9GMKUM8zZx/Ov8bxsHmqGBj77KkrcRnH/GtVzdUyyQlu68vTzM+S91AwM\n 0U6V1a3NoniKNXrio0BAY2EABN5BqNPONoHWN+ebhRuG+ONop3J3S3T1uVqHh2sA/Ve5pIU1pow\n zFPf5ouLDTZzCrD8bnYvVVmCOmng==","X-Received":"by 2002:a5d:5d0b:0:b0:43d:20e9:b0e1 with SMTP id\n ffacd0b85a97d-43fe3db9b22mr48488993f8f.7.1777047997557;\n Fri, 24 Apr 2026 09:26:37 -0700 (PDT)","To":"Thomas Perale <thomas.perale@mind.be>","Cc":"buildroot@buildroot.org","Date":"Fri, 24 Apr 2026 18:26:36 +0200","Message-ID":"<20260424162636.160866-1-thomas.perale@mind.be>","X-Mailer":"git-send-email 2.54.0","In-Reply-To":"<20260417102200.137169-1-thomas.perale@mind.be>","References":"<20260417102200.137169-1-thomas.perale@mind.be>","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1777047998; x=1777652798; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=MEI+P3nH/O/phf3AFKCEODJF8x2cDOPdLb/KtlAK4YY=;\n b=Nw/9GwLMnPTz8o4zBB1Lss1/ky8zcCFiA1GzTJ3sC0PPl6cVD/uebhKh3BtEx0E4D8\n SuNuyeMFpOx+fg6m/POomKhNx2vepdfz0IH362SKpToWJDjIucXaPXYy1RrV4X2Mgbgb\n uAPQYVDabCM4FOqtxGmVFIQmw63Wpc+5Js5ZNW7o5TJiCeFSsfwWMWEHGeEAGcRaLJz/\n 3ys2gHJra310/Cmt9SiWfYyICNgyppzlpOZbOhix/vm4RND9ZBh7gzUFBs6Nqgo44B49\n HTwdLgEZP8YLJ07ls1FC3OM9NuNefNduDUyEEZLeo6Q+mjwENSFVxCcWPMVak2ojtouP\n jO2Q==","X-Mailman-Original-Authentication-Results":["smtp4.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be","smtp4.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=mind.be header.i=@mind.be header.a=rsa-sha256\n header.s=google header.b=Nw/9GwLM"],"Subject":"Re: [Buildroot] [PATCH 2025.02.x] package/giflib: patch\n CVE-2021-40633, CVE-2025-31344, CVE-2026-23868","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","From":"Thomas Perale via buildroot <buildroot@buildroot.org>","Reply-To":"Thomas Perale <thomas.perale@mind.be>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"}}]