CVE-2007-6697
published 2008-02-01CVE-2007-6697: Buffer overflow in the LWZReadByte function in IMG_gif.c in SDL_image before 1.2.7 allows remote attackers to cause a denial of service (application crash) or…
PriorityP342high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
10.73%
95.3th percentile
Buffer overflow in the LWZReadByte function in IMG_gif.c in SDL_image before 1.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file, a similar issue to CVE-2006-4484. NOTE: some of these details are obtained from third party information.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | sdl-image1.2 | < sdl-image1.2 1.2.6-2 (bookworm) | sdl-image1.2 1.2.6-2 (bookworm) |
| sdl | sdl_image | <= 1.2.6 | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv2.6LOW
vendor_ubuntu7.5HIGH
vendor_debian2.6MEDIUM
vendor_redhat2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r8gv-4rq7-chfp: Buffer overflow in the LWZReadByte function in IMG_gif
ghsa_unreviewed·2022-05-01·CVSS 2.6
CVE-2007-6697 [LOW] CWE-119 GHSA-r8gv-4rq7-chfp: Buffer overflow in the LWZReadByte function in IMG_gif
Buffer overflow in the LWZReadByte function in IMG_gif.c in SDL_image before 1.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file, a similar issue to CVE-2006-4484. NOTE: some of these details are obtained from third party information.
OSV
CVE-2007-6697: Buffer overflow in the LWZReadByte function in IMG_gif
osv·2008-02-01·CVSS 2.6
CVE-2007-6697 [LOW] CVE-2007-6697: Buffer overflow in the LWZReadByte function in IMG_gif
Buffer overflow in the LWZReadByte function in IMG_gif.c in SDL_image before 1.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file, a similar issue to CVE-2006-4484. NOTE: some of these details are obtained from third party information.
Ubuntu
SDL_image vulnerabilities
vendor_ubuntu·2008-03-26·CVSS 7.5
CVE-2007-6697 [HIGH] SDL_image vulnerabilities
Title: SDL_image vulnerabilities
Summary: SDL_image vulnerabilities
Michael Skladnikiewicz discovered that SDL_image did not correctly load
GIF images. If a user or automated system were tricked into processing
a specially crafted GIF, a remote attacker could execute arbitrary code
or cause a crash, leading to a denial of service. (CVE-2007-6697)
David Raulo discovered that SDL_image did not correctly load ILBM images.
If a user or automated system were tricked into processing a specially
crafted ILBM, a remote attacker could execute arbitrary code or cause
a crash, leading to a denial of service. (CVE-2008-0544)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
SDL_image: GIF handling buffer overflow
vendor_redhat·2008-01-23·CVSS 2.6
CVE-2007-6697 [LOW] SDL_image: GIF handling buffer overflow
SDL_image: GIF handling buffer overflow
Buffer overflow in the LWZReadByte function in IMG_gif.c in SDL_image before 1.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file, a similar issue to CVE-2006-4484. NOTE: some of these details are obtained from third party information.
Debian
CVE-2007-6697: sdl-image1.2 - Buffer overflow in the LWZReadByte function in IMG_gif.c in SDL_image before 1.2...
vendor_debian·2007·CVSS 2.6
CVE-2007-6697 [LOW] CVE-2007-6697: sdl-image1.2 - Buffer overflow in the LWZReadByte function in IMG_gif.c in SDL_image before 1.2...
Buffer overflow in the LWZReadByte function in IMG_gif.c in SDL_image before 1.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file, a similar issue to CVE-2006-4484. NOTE: some of these details are obtained from third party information.
Scope: local
bookworm: resolved (fixed in 1.2.6-2)
bullseye: resolved (fixed in 1.2.6-2)
forky: resolved (fixed in 1.2.6-2)
sid: resolved (fixed in 1.2.6-2)
trixie: resolved (fixed in 1.2.6-2)
No detection rules found.
Bugzilla
CVE-2011-2896 David Koblas' GIF decoder LZW decoder buffer overflow
bugzilla·2011-08-03·CVSS 9.3
CVE-2011-2896 [CRITICAL] CVE-2011-2896 David Koblas' GIF decoder LZW decoder buffer overflow
CVE-2011-2896 David Koblas' GIF decoder LZW decoder buffer overflow
GIF image file format readers in various open source projects are based on the GIF decoder implementation written by David Koblas. This implementation contains a bug in the LZW decompressor, causing it to in correctly handle compressed streams that contain code words that were not yet added to the decompression table. LZW decompression has a special case (a KwKwK string) when code word may match the first free entry in the decompression table. The implementation used in this GIF reading code allows code words not only matching, but also exceeding the first free entry.
This problem is identical to a bug found in BSD compress (CVE-2011-2895, bug #727624), but given the unclear relationship between BSD compress and GIF deco
Bugzilla
CVE-2011-2897 gdk-pixbuf: GIF loader buffer overflow when initializing decompression tables
bugzilla·2011-08-01·CVSS 2.6
CVE-2011-2897 [LOW] CVE-2011-2897 gdk-pixbuf: GIF loader buffer overflow when initializing decompression tables
CVE-2011-2897 gdk-pixbuf: GIF loader buffer overflow when initializing decompression tables
GDK's GIF image reader is based on David Koblas' code that is also used in several other GIF image readers. This code contained an input validation flaw. Input code size was read from input GIF file and used to initialize decoding tables without checking the value, leading to buffer overflow. Relevant GDK code is:
941 static int
942 gif_prepare_lzw (GifContext *context)
943 {
...
946 if (!gif_read (context, &(context->lzw_set_code_size), 1)) {
947 /*g_message (_("GIF: EOF / read error on image data\n"));*/
948 return -1;
949 }
...
952 context->lzw_clear_code = 1 lzw_set_code_size;
...
962 for (i = 0; i lzw_clear_code; ++i) {
963 context->lzw_table[0][i] = 0;
964 context->lzw_table[1][i] = i;
965 }
Bugzilla
CVE-2008-1373 cups: overflow in gif image filter
bugzilla·2008-03-20·CVSS 2.6
CVE-2008-1373 [LOW] CVE-2008-1373 cups: overflow in gif image filter
CVE-2008-1373 cups: overflow in gif image filter
It was discovered that GIF parsing code used by CUPS printing system is affected
by similar issue as GIF parsers used by gd / netpbm / tk / SDL_image.
Value of code_size read from GIF image is not properly validate before being
used to initialize table array in gif_read_lzw(), causing a static buffer overflow.
Issue is similar to:
CVE-2006-4484 (gd), CVE-2007-6697 (SDL_image), CVE-2008-0553 (tk), CVE-2008-0554
(netpbm)
Discussion:
Created attachment 298680
Proposed patch
Similar to fixed used in gd / tk / netpbm / SDL_image.
---
Tracked upstream via: http://www.cups.org/str.php?L2765
---
cups-1.2.12-10.fc7 has been submitted as an update for Fedora 7
---
cups-1.3.6-4.fc8 has been pushed to the Fedora 8 stable repository. If probl
Bugzilla
CVE-2008-0553 tk: GIF handling buffer overflow
bugzilla·2008-02-05·CVSS 2.6
CVE-2008-0553 [LOW] CVE-2008-0553 tk: GIF handling buffer overflow
CVE-2008-0553 tk: GIF handling buffer overflow
tk GIF handling code is based on the same code as used by gd and SDL_image and
is affected by the overflow known as CVE-2006-4484 and CVE-2007-6697.
ReadImage function in tkImgGIF.c does not properly check the value of
initialCodeSize value read from GIF image before using it as upper bound during
the initialization of append array. This can result in stack buffer overflow.
Upstream fix:
http://tktoolkit.cvs.sourceforge.net/tktoolkit/tk/generic/tkImgGIF.c?r1=1.40&r2=1.41
This is expected to be included in upstream tk version 8.5.1.
Related issues:
CVE-2006-4484 (gd), CVE-2007-6697 (SDL_image), CVE-2008-0554 (netpbm)
Discussion:
perl-Tk uses embedded copy of tk source code and is affected by this problem
too. Adding perl-Tk maintainers t
Bugzilla
CVE-2008-0553 tk: GIF handling buffer overflow [rawhide]
bugzilla·2008-02-05·CVSS 2.6
CVE-2008-0553 [LOW] CVE-2008-0553 tk: GIF handling buffer overflow [rawhide]
CVE-2008-0553 tk: GIF handling buffer overflow [rawhide]
+++ This bug was initially created as a clone of Bug #431518 +++
tk GIF handling code is based on the same code as used by gd and SDL_image and
is affected by the overflow known as CVE-2006-4484 and CVE-2007-6697.
ReadImage function in tkImgGIF.c does not properly check the value of
initialCodeSize value read from GIF image before using it as upper bound during
the initialization of append array. This can result in stack buffer overflow.
Upstream fix:
http://tktoolkit.cvs.sourceforge.net/tktoolkit/tk/generic/tkImgGIF.c?r1=1.40&r2=1.41
This is expected to be included in upstream tk version 8.5.1.
Related issues:
CVE-2006-4484 (gd), CVE-2007-6697 (SDL_image), CVE-2008-0554 (netpbm)
-- Additional comment from [email protected] on
Bugzilla
CVE-2006-4484 gd: GIF handling buffer overflow
bugzilla·2008-02-05·CVSS 2.6
CVE-2006-4484 [LOW] CVE-2006-4484 gd: GIF handling buffer overflow
CVE-2006-4484 gd: GIF handling buffer overflow
Common Vulnerabilities and Exposures assigned an identifier CVE-2006-4484 to the following vulnerability:
Buffer overflow in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array.
References:
http://bugs.php.net/bug.php?id=38112
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.10&r2=1.11
http://www.php.net/ChangeLog-5.php#5.1.5
Discussion:
This issue was addressed in php packages in following advisories:
Red Hat Enterprise Linux:
http://rhn.redhat.com/errata/RHSA-2006-0669.html
Red Hat Application Stack:
htt
Bugzilla
CVE-2008-0554 netpbm: GIF handling buffer overflow in giftopnm
bugzilla·2008-02-05·CVSS 2.6
CVE-2008-0554 [LOW] CVE-2008-0554 netpbm: GIF handling buffer overflow in giftopnm
CVE-2008-0554 netpbm: GIF handling buffer overflow in giftopnm
GIF handling code used in netpbm's giftopnm converter is based on the same code
as used by gd and SDL_image and is affected by the overflow known as
CVE-2006-4484 and CVE-2007-6697.
readImageData function in giftopnm.c does not properly check the value of
lzwMinCodeSize value read from GIF image before passing it to lzwInit, which
uses it as upper bound during the initialization of fixed sized table array,
leading to a buffer overflow.
This issue was fixed in upstream version 10.27. Code checking the value is in
the initial giftopnm.c revision in projects public SVN repository:
http://netpbm.svn.sourceforge.net/viewvc/netpbm/trunk/converter/other/giftopnm.c?revision=1&view=markup#l_1052
This issue does not affect netpbm pa
Bugzilla
CVE-2007-6697 SDL_image: GIF handling buffer overflow
bugzilla·2008-01-24·CVSS 2.6
CVE-2007-6697 [LOW] CVE-2007-6697 SDL_image: GIF handling buffer overflow
CVE-2007-6697 SDL_image: GIF handling buffer overflow
Input validation flaw was discovered in the SDL_image image handling library.
Value read from the Gif file is not properly validated against the buffer size
and can cause a buffer overflow.
More details about this issue can be found here:
http://marc.info/?l=bugtraq&m=120110205511630&w=4
Advisory states new upstream version 1.2.7 should be released soon addressing
this flaw.
Relevant upstream SVN commit seems to be:
http://www.libsdl.org/cgi/viewvc.cgi/trunk/SDL_image/IMG_gif.c?r1=3462&r2=3461&pathrev=3462
Discussion:
Created attachment 292800
Reproducer from the advisory
---
This seems to be the same issue as CVE-2006-4484 (reported for gd embedded in
php sources back in 2006):
Buffer overflow in the LWZReadByte_ function in
http://bugs.gentoo.org/show_bug.cgi?id=207933http://marc.info/?l=bugtraq&m=120110205511630&w=2http://secunia.com/advisories/28640http://secunia.com/advisories/28752http://secunia.com/advisories/28830http://secunia.com/advisories/28837http://secunia.com/advisories/28850http://secunia.com/advisories/28869http://secunia.com/advisories/29542http://vexillium.org/?sec-sdlgifhttp://wiki.rpath.com/Advisories:rPSA-2008-0061http://www.debian.org/security/2008/dsa-1493http://www.gentoo.org/security/en/glsa/glsa-200802-01.xmlhttp://www.libsdl.org/cgi/viewvc.cgi/trunk/SDL_image/CHANGES?revision=3462&view=markuphttp://www.libsdl.org/cgi/viewvc.cgi/trunk/SDL_image/IMG_gif.c?r1=2970&r2=3462http://www.mandriva.com/security/advisories?name=MDVSA-2008:040http://www.securityfocus.com/archive/1/488079/100/0/threadedhttp://www.securityfocus.com/bid/27417http://www.ubuntu.com/usn/usn-595-1http://www.vupen.com/english/advisories/2008/0266https://exchange.xforce.ibmcloud.com/vulnerabilities/39865https://issues.rpath.com/browse/RPL-2206https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00008.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00039.htmlhttp://bugs.gentoo.org/show_bug.cgi?id=207933http://marc.info/?l=bugtraq&m=120110205511630&w=2http://secunia.com/advisories/28640http://secunia.com/advisories/28752http://secunia.com/advisories/28830http://secunia.com/advisories/28837http://secunia.com/advisories/28850http://secunia.com/advisories/28869http://secunia.com/advisories/29542http://vexillium.org/?sec-sdlgifhttp://wiki.rpath.com/Advisories:rPSA-2008-0061http://www.debian.org/security/2008/dsa-1493http://www.gentoo.org/security/en/glsa/glsa-200802-01.xmlhttp://www.libsdl.org/cgi/viewvc.cgi/trunk/SDL_image/CHANGES?revision=3462&view=markuphttp://www.libsdl.org/cgi/viewvc.cgi/trunk/SDL_image/IMG_gif.c?r1=2970&r2=3462http://www.mandriva.com/security/advisories?name=MDVSA-2008:040http://www.securityfocus.com/archive/1/488079/100/0/threadedhttp://www.securityfocus.com/bid/27417http://www.ubuntu.com/usn/usn-595-1http://www.vupen.com/english/advisories/2008/0266https://exchange.xforce.ibmcloud.com/vulnerabilities/39865https://issues.rpath.com/browse/RPL-2206https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00008.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00039.html
2008-02-01
Published