CVE-2021-45972: 
Linux Debian vulnerability analysis and mitigation

The giftrans function in giftrans 1.12.2 contains a stack-based buffer overflow vulnerability. The issue exists because a value inside the input file determines the amount of data to write, allowing an attacker to overwrite up to 250 bytes outside of the allocated buffer with arbitrary data. The vulnerability was discovered in December 2021 and assigned identifier CVE-2021-45972 (Debian Bug, NVD).

The vulnerability exists in the giftrans function where a buffer overflow can occur due to improper validation of the size value read from the input file. When processing a Graphic Control Extension (0xf9), the code reads a size value from the file and then attempts to write that many bytes into a fixed 5-byte buffer named 'gce'. Since the size value is controlled by the input file content without proper bounds checking, this allows writing beyond the buffer's boundaries (Debian Bug). The vulnerability has been assigned a CVSS v3.1 base score of 7.1 HIGH with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H (NVD).

The vulnerability allows an attacker to overwrite up to 250 bytes outside of the allocated buffer with arbitrary data. This buffer overflow could potentially lead to arbitrary code execution or denial of service conditions (NVD).

The vulnerability has been fixed in giftrans version 1.12.2-20 by adding a length check to validate the size value before performing the buffer write operation. The patch (32fixsbo_giftrans.diff) was implemented to prevent the buffer overflow condition (Debian Bug).