Hi Jake! On Mon, 25 May 2009 13:43:08 -0600 Jake Edge <jake@xxxxxxx> wrote: > I don't know much about CVE assignment and the like (but perhaps I > should), but it would seem to me that the two CVEs from 2005 apply to > libungif rather than giflib and that new CVEs should be created or > applied for as it is a different package affected (though I assume > they share much of the same code) ... If the affected code is re-used in multiple projects, the same CVE id is used to refer to the flaw in all projects that contain shared code (for examples, think of flaws in xpdf source code that usually need to be fixed in xpdf, poppler, cups, for older distros also kdegraphics, gpdf, ...; or mozilla flaws fixed in firefox, seamonkey, thunderbird). While it's not quite obvious, libungif and giflib do not really seem to be different projects. I have not tried to track down all its history, but diffing their sources, the only real difference in 4.1.3 was that giflib supported LZW encoding and libungif did not. Excluding Makefile / configure / README differences, this boils down to about 200 lines of unified diff. > it would also seem plausible that other distributions using giflib > fell into the same hole ... or is this purely a Fedora/RHEL issue > because they stuck with giflib 4.1.3? Following upstream releases more closely, this could have been fixed quite some time ago. -- Tomas Hoger / Red Hat Security Response Team -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
