From d89838bd0acf2a31210291d5d4d4ffbd8ffdc25f Mon Sep 17 00:00:00 2001
From: Michal Hlavinka <mhlavink@redhat.com>
Date: Fri, 20 Mar 2026 18:15:08 +0100
Subject: [PATCH] fix CVE-2026-23868: double free in GifMakeSavedImage
 (RHEL-154850)

Resolves: RHEL-154850
---
 gating.yaml                       |  2 +-
 giflib-5.2.1-cve-2026-23868.patch | 18 ++++++++++++++++++
 giflib.spec                       | 10 +++++++++-
 3 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 giflib-5.2.1-cve-2026-23868.patch

diff --git a/gating.yaml b/gating.yaml
index fb6f083..4ca9235 100644
--- a/gating.yaml
+++ b/gating.yaml
@@ -3,4 +3,4 @@ product_versions:
   - rhel-10
 decision_context: osci_compose_gate
 rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build.rpmdeplint.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
diff --git a/giflib-5.2.1-cve-2026-23868.patch b/giflib-5.2.1-cve-2026-23868.patch
new file mode 100644
index 0000000..3f27cf9
--- /dev/null
+++ b/giflib-5.2.1-cve-2026-23868.patch
@@ -0,0 +1,18 @@
+--- a/gifalloc.c
++++ b/gifalloc.c
+@@ -349,6 +349,14 @@
+              * problems.
+              */
+ 
++            /* Null out aliased pointers before any allocations
++             * so that FreeLastSavedImage won't free CopyFrom's
++             * data if an allocation fails partway through. */
++            sp->ImageDesc.ColorMap = NULL;
++            sp->RasterBits = NULL;
++            sp->ExtensionBlocks = NULL;
++            sp->ExtensionBlockCount = 0;
++ 
+             /* first, the local color map */
+             if (CopyFrom->ImageDesc.ColorMap != NULL) {
+                 sp->ImageDesc.ColorMap = GifMakeMapObject(
+
diff --git a/giflib.spec b/giflib.spec
index a6d057b..c41421a 100644
--- a/giflib.spec
+++ b/giflib.spec
@@ -1,7 +1,7 @@
 Name:          giflib
 Summary:       A library and utilities for processing GIFs
 Version:       5.2.1
-Release:       22%{?dist}
+Release:       23%{?dist}
 
 License:       MIT
 URL:           http://www.sourceforge.net/projects/%{name}/
@@ -21,6 +21,9 @@ Patch3:        CVE-2022-28506.patch
 # Taken from Debian package
 Patch4:        fix-get-args-segment-violation.patch
 Patch5:        giflib-5.2.1-fixsnprintf.patch
+# from upstream, for <= 6.1.1, RHEL-154850
+# https://sourceforge.net/p/giflib/code/ci/f5b7267aed3665ef025c13823e454170d031c106/
+Patch6:        giflib-5.2.1-cve-2026-23868.patch
 
 
 BuildRequires: cmake
@@ -108,6 +111,8 @@ cp -a %{SOURCE1} .
 %mingw_cmake
 %mingw_make_build
 
+# remove extra index.html.in
+rm doc/index.html.in
 
 %install
 %cmake_install
@@ -153,6 +158,9 @@ rm -rf %{buildroot}%{mingw64_mandir}
 
 
 %changelog
+* Thu Mar 19 2026 Michal Hlavinka <mhlavink@redhat.com> - 5.2.1-23
+- fix CVE-2026-23868: double free in GifMakeSavedImage (RHEL-154850)
+
 * Thu Feb 06 2025 Michal Hlavinka <mhlavink@redhat.com> - 5.2.1-22
 - fix giftext memmory access error (RHEL-77803)