Update giflib Xenial Package to 5.1.4

Status changed to 'Confirmed' because the bug affects multiple users.

Both 5.1.3 and 5.1.4 are bug fix releases:

+Version 5.1.4
+=============
+
+Code Fixes
+----------
+
+* Fix SF bug #94: giflib 5 loves to fail to load images... a LOT.
+
+* Fix SF Bug #92: Fix buffer overread in gifbuild.
+
+* Fix SF Bug #93: Add bounds check in gifbuild netscape2.0 path
+
+* Fix SF Bug #89: Fix buffer overread in gifbuild.
+
+Version 5.1.3
+=============
+
+As of this version the library and code has been seriously abused by fuzzers,
+smoking out crash bugs (now fixed) induced by various kinds of severely
+malformed GIF.
+
+Code Fixes
+----------
+
+* Prevent malloc randomess from causing the header output routine to emit
+ a GIF89 version string even when no GIF89 features are present. Only
+ breaks tests, not production code, but it's odd this wasn't caught sooner.
+
+* Prevent malloc randomess from producing sporadic failures by causing
+ sanity checks added in 5.1.2 to misfire.
+
+* Bulletproof gif2rgb against 0-height images. Addressed SF bug #78:
+ Heap overflow in gif2rgb with images of size 0, also SF bug #82.
+
+* Remove unnecessary duplicate EGifClose() in gifcolor.c. Fixes SF bug #83
+ introduced in 5.1.2.
+
+* Fix SF Bug #84: incorrect return of DGifSlurp().
+

A security fix has to go to Trusty.

I'd like to see some test cases regarding "It fails to read gif images in both libvips and imagemagick" before approving the upload to xenial.

giflib | 5.1.4-0.3 | yakkety | source

Hello Felix, or anyone else affected,

Accepted giflib into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/giflib/5.1.4-0.3~16.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Martin: I can confirm that the giflib 5.1.4-0.3 packages in xenial-proposed fix the reported problems.

Brian: How would those test cases look like?

Maybe this discussion is helpful:

https://github.com/jcupitt/libvips/issues/437

Running libvips master make test on 5.1.2-0.2 results in:

======================================================================
ERROR: test_gifload (test_foreign.TestForeign)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "test_foreign.py", line 483, in test_gifload
    self.file_loader("gifload", self.gif_file, gif_valid)
  File "test_foreign.py", line 68, in file_loader
    validate(self, im)
  File "test_foreign.py", line 477, in gif_valid
    a = im(10, 10)
  File "../python/packages/gi/overrides/Vips.py", line 846, in __call__
    return self.getpoint(x, y)
  File "../python/packages/gi/overrides/Vips.py", line 651, in call_function
    return _call_instance(self, name, args, kwargs)
  File "../python/packages/gi/overrides/Vips.py", line 426, in _call_instance
    return _call_base(name, args, kwargs, self)
  File "../python/packages/gi/overrides/Vips.py", line 376, in _call_base
    raise Error('Error calling operator %s.' % name)
Error: Error calling operator getpoint.
  gifload: Failed to read from given file
vips__region_start: start function failed for image images/cramps.gif

======================================================================
ERROR: test_magickload (test_foreign.TestForeign)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "test_foreign.py", line 331, in test_magickload
    self.file_loader("magickload", self.gif_file, gif_valid)
  File "test_foreign.py", line 70, in file_loader
    validate(self, im)
  File "test_foreign.py", line 321, in gif_valid
    self.assertAlmostEqual(a, [33, 33, 33, 255])
  File "/usr/lib/python2.7/unittest/case.py", line 554, in assertAlmostEqual
    if round(abs(second-first), places) == 0:
TypeError: unsupported operand type(s) for -: 'list' and 'list'

----------------------------------------------------------------------

FAILED (errors=2)
memory: high-water mark 127.03 MB
FAIL test_python.sh (exit status: 1)

============================================================================
Testsuite summary for vips 8.4.0
============================================================================
# TOTAL: 5
# PASS: 4
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0
============================================================================
See test/test-suite.log
Please report to <email address hidden>
============================================================================

Running libvips master make check on 5.1.4-0.3:

============================================================================
Testsuite summary for vips 8.4.0
============================================================================
# TOTAL: 5
# PASS: 5
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================

I can confirm that `sudo apt-get install libgif-dev/xenial-proposed` fixes the libvips test suite failures for me. Previously I saw errors from direct gif load, and load via imagemagick. I now see a clean run.

Thank you for updating this library.

This bug was fixed in the package giflib - 5.1.4-0.3~16.04

---------------
giflib (5.1.4-0.3~16.04) xenial-proposed; urgency=medium

  * SRU: LP: #1580376: Upload bug fix release for 16.04 LTS.

giflib (5.1.4-0.3) unstable; urgency=medium

  * Non-maintainer upload.
  * CVE-2016-3977: gif2rgb: heap buffer overflow. Closes: #820526.

giflib (5.1.4-0.2) unstable; urgency=medium

  * Non-maintainer upload.
  * Drop the local fix for issue #81, solved differently upstream.
    Closes: #823481.

giflib (5.1.4-0.1) unstable; urgency=medium

  * Non-maintainer upload.
  * New upstream version.
  * Security issues already fixed in 5.1.2: CVE-2016-3977.
    Closes: #820594, #820526.
  * Update symbols file.

giflib (5.1.2-0.3) unstable; urgency=medium

  * Non-maintainer upload.
  [ Tobias Frost ]
  * debian/patches/ef0cb9b4be572262b49fbc26fb2348683f44a517.patch:
    try to fix testsuite failures on feh/powerpc.
    (Closes: #812657)

 -- Matthias Klose <email address hidden> Tue, 14 Jun 2016 17:09:38 +0200

The verification of the Stable Release Update for giflib has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.