Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 561882 - <media-gfx/optipng-0.7.5-r1: buffer overflow
Summary: <media-gfx/optipng-0.7.5-r1: buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 579030
Blocks:
  Show dependency tree
 
Reported: 2015-09-30 07:05 UTC by Agostino Sarubbo
Modified: 2016-08-11 06:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-09-30 07:05:14 UTC 
From ${URL} :

We found a buffer overflow in global memory affecting optipng 0.7.5 using a
gif file. Upstream was notified. Find attached the test case in case
someone wants to provide some feedback. ASAN report is here:
$ ./optipng g.gif.-1694659802519428239

** Processing: g.gif.-1694659802519428239
Warning: Bogus data in GIF
=================================================================
==11221== ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000069541e at pc 0x46d24b bp 0x7fffffffaee0 sp 0x7fffffffaed8
READ of size 1 at 0x00000069541e thread T0
    #0 0x46d24a
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46d24a)
    #1 0x46d724
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46d724)
    #2 0x46cfe8
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46cfe8)
    #3 0x46cbde
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46cbde)
    #4 0x46c35b
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46c35b)
    #5 0x41c013
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x41c013)
    #6 0x418878
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x418878)
    #7 0x408c9a
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x408c9a)
    #8 0x40c309
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40c309)
    #9 0x40e7c5
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40e7c5)
    #10 0x404f3b
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x404f3b)
    #11 0x40503d
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40503d)
    #12 0x7ffff4aa7ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
    #13 0x401848
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x401848)
0x00000069541e is located 58 bytes to the right of global variable
'last_byte (gifread.c)' (0x6953e0) of size 4
  'last_byte (gifread.c)' is ascii string ''
0x00000069541e is located 2 bytes to the left of global variable 'buffer
(gifread.c)' (0x695420) of size 280
  'buffer (gifread.c)' is ascii string ''
Shadow bytes around the buggy address:
  0x0000800caa30: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000800caa40: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000800caa50: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800caa60: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800caa70: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
=>0x0000800caa80: f9 f9 f9[f9]00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800caa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800caaa0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800caab0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800caac0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800caad0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==11221== ABORTING



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Sebastian Pipping gentoo-dev 2015-10-11 19:13:58 UTC 
# git show --stat | sed 's,@gentoo.org,@g.o,'
commit e64498a11278374b3ea04983586a0ab8f599406e
Author: Sebastian Pipping <sping@g.o>
Date:   Sun Oct 11 21:10:43 2015 +0200

    media-gfx/optipng: Apply upstream patch for bug #561882
    
    Package-Manager: portage-2.2.23

 .../optipng/files/optipng-0.7.5-gifread.patch      | 12 +++++
 media-gfx/optipng/optipng-0.7.5-r1.ebuild          | 57 ++++++++++++++++++++++
 2 files changed, 69 insertions(+)


(In reply to Agostino Sarubbo from comment #0)
> @maintainer(s): after the bump, in case we need to stabilize the package,
> please let us know if it is ready for the stabilization or not.

Green for stabilization from my side.
Comment 2 Sebastian Pipping gentoo-dev 2015-10-19 16:18:22 UTC 
Upstream bug report has been marked publicly readable in the mean time:
http://sourceforge.net/p/optipng/bugs/53/
Comment 3 Justin Lecher (RETIRED) gentoo-dev 2015-12-21 19:34:47 UTC 
How about cleaning the tree?
Comment 4 Sebastian Pipping gentoo-dev 2015-12-21 22:08:40 UTC 
(In reply to Justin Lecher from comment #3)
> How about cleaning the tree?

No objections.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-06-26 12:04:19 UTC 
New GLSA requested.

Cleaned:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77b8e49e04cd340ccc573b437e7c7b15893d5978
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-08-11 06:32:50 UTC 
This issue was resolved and addressed in
 GLSA 201608-01 at https://security.gentoo.org/glsa/201608-01
by GLSA coordinator Yury German (BlueKnight).