SixLabors ImageSharp Denial-of-Service Vulnerability in GIF Decoder

A denial-of-service vulnerability has been identified in the SixLabors ImageSharp library, specifically in the GIF decoding functionality. This issue affects versions prior to 2.1.11 and in the 3.0.0 to 3.1.10 range. The vulnerability arises when the decoder processes a specially crafted GIF file that contains a malformed comment extension block, lacking a proper block terminator. As a result, the decoder can enter an infinite loop while trying to skip the problematic block, leading to excessive resource consumption. Applications that handle untrusted GIF files are advised to upgrade to version 2.1.11 or 3.1.11, where this issue has been fixed.

Impact

Exploitation of this vulnerability causes the GIF decoder to enter an infinite loop, effectively freezing the application and leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using the ImageSharp library to decode a crafted GIF file that contains a malformed comment extension block. This can be done by creating a project that references ImageSharp, and then using the 'DecoderOptions' to skip metadata while loading the image. The infinite loop can be observed when the 'Image.Identify' or 'Image.Load' methods are called with the malformed GIF file.

Remediation

Users are advised to upgrade to ImageSharp versions 2.1.11 or 3.1.11, where this vulnerability has been patched.