CVE-2021-45909: 
Linux Debian vulnerability analysis and mitigation

An issue was discovered in gif2apng 1.9, identified as CVE-2021-45909. The vulnerability is a heap-based buffer overflow in the DecodeLZW function that allows an attacker to write a large amount of arbitrary data outside the boundaries of a buffer. This vulnerability was reported on December 27, 2021, affecting the gif2apng tool used for converting animated GIF images to APNG format (NVD, Debian Security).

The vulnerability exists in the DecodeLZW function within gif2apng.cpp. The function writes to a buffer allocated using malloc without performing proper size checks, allowing for memory corruption on the heap. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is classified as CWE-787 (Out-of-bounds Write) (NVD, Debian Bug Report).

When exploited, this vulnerability allows attackers to write arbitrary data outside the boundaries of an allocated buffer, potentially leading to memory corruption on the heap. This could result in program crashes, system instability, or potential code execution (NVD, Debian LTS).

The vulnerability has been fixed in multiple distributions with updated versions: Debian 9 (Stretch) version 1.9+srconly-2+deb9u2, Debian 10 (Buster) version 1.9+srconly-2+deb10u1, and Debian 11 (Bullseye) version 1.9+srconly-3+deb11u1. The fix includes implementing proper buffer size checks in the DecodeLZW function (Debian LTS, Debian Bug Report).