CVE-2023-44821

2023-10-0920:15:10

Debian Security Bug Tracker

security-tracker.debian.org

gifsicle

denial of service

vulnerability

cve-2023-44821

unix

untrusted input

memory consumption

disputed

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

5.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

Gifsicle through 1.94, if deployed in a way that allows untrusted input to affect Gif_Realloc calls, might allow a denial of service (memory consumption). NOTE: this has been disputed by multiple parties because the Gifsicle code is not commonly used for unattended operation in which new input arrives for a long-running process, does not ship with functionality to link it into another application as a library, and does not have realistic use cases in which an adversary controls the entire command line.

OSVersionArchitecturePackageVersionFilename
Debian12allgifsicle<= 1.93-2gifsicle_1.93-2_all.deb
Debian11allgifsicle<= 1.92-2gifsicle_1.92-2_all.deb
Debian999allgifsicle<= 1.94-1gifsicle_1.94-1_all.deb
Debian13allgifsicle<= 1.94-1gifsicle_1.94-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	gifsicle	<= 1.93-2	gifsicle_1.93-2_all.deb
Debian	11	all	gifsicle	<= 1.92-2	gifsicle_1.92-2_all.deb
Debian	999	all	gifsicle	<= 1.94-1	gifsicle_1.94-1_all.deb
Debian	13	all	gifsicle	<= 1.94-1	gifsicle_1.94-1_all.deb