CVE-2023-46009
📋 TL;DR
CVE-2023-46009 is a floating point exception vulnerability in gifsicle's resize_stream function that can cause denial of service through application crashes. This affects systems using gifsicle 1.94 to process malicious GIF files. Users and applications that process untrusted GIF files with gifsicle are vulnerable.
💻 Affected Systems
- gifsicle
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service through application crash when processing malicious GIF files, potentially disrupting workflows that rely on gifsicle for image processing.
Likely Case
Application crashes when processing specially crafted GIF files, leading to service disruption for tools or scripts using gifsicle.
If Mitigated
Minimal impact if gifsicle only processes trusted GIF files or if the application has proper crash handling and restart mechanisms.
🎯 Exploit Status
Proof of concept exists in GitHub issue #196. Exploitation requires feeding a malicious GIF file to gifsicle, which is straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: gifsicle 1.95 or later
Vendor Advisory: https://github.com/kohler/gifsicle/issues/196
Restart Required: No
Instructions:
1. Update gifsicle to version 1.95 or later using your package manager. 2. For source installations: download latest from https://github.com/kohler/gifsicle, compile and install. 3. Verify installation with 'gifsicle --version'.
🔧 Temporary Workarounds
Disable GIF processing
linuxTemporarily disable gifsicle usage or block GIF file processing until patched
# Remove execute permissions: chmod -x $(which gifsicle)
# Or rename binary: mv $(which gifsicle) $(which gifsicle).bak
Input validation
allImplement strict validation of GIF files before passing to gifsicle
# Example bash script to check file type before processing
if file "$1" | grep -q "GIF image"; then echo "Valid GIF"; else echo "Invalid file"; fi
🧯 If You Can't Patch
- Isolate gifsicle usage to trusted environments only
- Implement rate limiting and monitoring for gifsicle processes
🔍 How to Verify
Check if Vulnerable:
Run 'gifsicle --version' and check if output contains '1.94'. If yes, system is vulnerable.Check Version:
gifsicle --versionVerify Fix Applied:
Run 'gifsicle --version' and confirm version is 1.95 or higher. Test with known malicious GIF from GitHub issue to ensure no crash.📡 Detection & Monitoring
Log Indicators:
- Application crashes with floating point exception errors
- Core dumps from gifsicle processes
- Failed GIF processing jobs
Network Indicators:
- Unusual volume of GIF file uploads to systems using gifsicle
SIEM Query:
process_name:"gifsicle" AND (event_type:"crash" OR exit_code:"132" OR signal:"SIGFPE")🔗 References
- https://github.com/kohler/gifsicle/issues/196
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3I6Z7VAHUYX3Q4DULJ76NFD2CIFZJYH5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WLTXJS6AIKPGVOAJ7EYC4HL3NEG6CGF/
- https://github.com/kohler/gifsicle/issues/196
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3I6Z7VAHUYX3Q4DULJ76NFD2CIFZJYH5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WLTXJS6AIKPGVOAJ7EYC4HL3NEG6CGF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WLTXJS6AIKPGVOAJ7EYC4HL3NEG6CGF/
