Bug 579030

Summary:	<media-gfx/optipng-0.7.6: invalid write / buffer overflow (CVE-2016-{2191,3981,3982})
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	sping, tristan
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.openwall.com/lists/oss-security/2016/04/04/2
Whiteboard:	B2 [glsa cve]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	561882

Description Hanno Böck gentoo-dev

2016-04-04 16:49:12 UTC

See
http://www.openwall.com/lists/oss-security/2016/04/04/2
and
http://optipng.sourceforge.net/

According to the optipng page there are two different vulns, but I haven't seen a public announcement or advisory for the second.

There seems to be another vuln in the gif code that was already backported in gentoo in bug #561882.

Anyway, please bump to 0.7.6.

Comment 1 Sebastian Pipping gentoo-dev

2016-04-04 21:14:03 UTC

(In reply to Hanno Boeck from comment #0)
> Anyway, please bump to 0.7.6.

Bumped.
https://github.com/gentoo/gentoo/commit/db5868a52221a1dfda5156f7f3ea4fd823a1ee9d

Comment 2 Hanno Böck gentoo-dev

2016-04-20 09:45:40 UTC

Can we start stabilizing?

Comment 3 Sebastian Pipping gentoo-dev

2016-04-30 13:03:11 UTC

No objections from my side.

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2016-05-05 09:19:11 UTC

Stable for PPC64.

Comment 5 Agostino Sarubbo gentoo-dev

2016-05-11 10:50:27 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2016-05-11 10:51:37 UTC

x86 stable

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2016-06-26 12:06:14 UTC

CVE-2016-2191 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2191):
  The bmp_read_rows function in pngxtern/pngxrbmp.c in OptiPNG before 0.7.6
  allows remote attackers to cause a denial of service (invalid memory write
  and crash) via a series of delta escapes in a crafted BMP image.

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2016-06-26 12:07:10 UTC

Added to existing GLSA request.

@ppc, ping.

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2016-06-26 12:11:05 UTC

CVE-2016-3982 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3982):
  Off-by-one error in the bmp_rle4_fread function in pngxrbmp.c in OptiPNG
  before 0.7.6 allows remote attackers to cause a denial of service
  (out-of-bounds read or write access and crash) or possibly execute arbitrary
  code via a crafted image file, which triggers a heap-based buffer overflow.

CVE-2016-3981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3981):
  Heap-based buffer overflow in the bmp_read_rows function in pngxrbmp.c in
  OptiPNG before 0.7.6 allows remote attackers to cause a denial of service
  (out-of-bounds read or write access and crash) or possibly execute arbitrary
  code via a crafted image file.

Comment 10 Agostino Sarubbo gentoo-dev

2016-07-08 08:18:38 UTC

ppc stable.

Maintainer(s), please cleanup.

Comment 11 Sebastian Pipping gentoo-dev

2016-07-08 10:10:19 UTC

(In reply to Agostino Sarubbo from comment #10)
> Maintainer(s), please cleanup.

Done

https://github.com/gentoo/gentoo/commit/4d09b54143ce2beaa1bf7cb65f700fd2e16db6c9

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2016-08-11 06:32:59 UTC

This issue was resolved and addressed in
 GLSA 201608-01 at https://security.gentoo.org/glsa/201608-01
by GLSA coordinator Yury German (BlueKnight).