Bug 639690 (CVE-2017-16938)

Summary:	<media-gfx/optipng-0.7.6-r2: Global buffer overflow (CVE-2017-16938)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	sping
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [glsa cve cleanup]
Package list:	=media-gfx/optipng-0.7.6-r2	Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2017-12-04 01:36:38 UTC

CVE-2017-16938 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16938):
  A global buffer overflow in OptiPNG 0.7.6 allows remote attackers to cause a
  denial-of-service attack or other unspecified impact with a maliciously
  crafted GIF format file, related to an uncontrolled loop in the LZWReadByte
  function of the gifread.c file.

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-12-04 01:37:33 UTC

@Maintainer please let us know if we are affected. Call for stabilization when ready if that's the case.

Thank you.

Comment 2 Sebastian Pipping gentoo-dev

2017-12-04 19:45:19 UTC

commit 0da7381ee3668b7d015fc4082a001dcda0b94707
Author: Sebastian Pipping <sping@g.o>
Date:   Mon Dec 4 20:37:28 2017 +0100

    media-gfx/optipng: CVE-2017-16938
    
    Package-Manager: Portage-2.3.16, Repoman-2.3.6

 .../files/optipng-0.7.6-cve-2017-16938.patch       | 22 ++++++++
 media-gfx/optipng/optipng-0.7.6-r2.ebuild          | 59 ++++++++++++++++++++++
 2 files changed, 81 insertions(+)
[1]+  Done                    meld optipng-0.7.6-r{1,2}.ebuild

https://github.com/gentoo/gentoo/commit/0da7381ee3668b7d015fc4082a001dcda0b94707


(In reply to Christopher Díaz Riveros from comment #1)
> @Maintainer please let us know if we are affected.

Proof of concept file segfaults on amd64, no more crash with upstream patch.
Applied in Gentoo now.


(In reply to Christopher Díaz Riveros from comment #1)
> Call for stabilization when ready if that's the case.

Adding targets: amd64 ppc64 ppc x86

# eshowkw 
Keywords for media-gfx/optipng:
            |                                 |   u   |  
            | a a         p   a     n r     s |   n   |  
            | l m   h i   p   r m m i i s   p | e u s | r
            | p d a p a p c x m i 6 o s 3   a | a s l | e
            | h 6 r p 6 p 6 8 6 p 8 s c 9 s r | p e o | p
            | a 4 m a 4 c 4 6 4 s k 2 v 0 h c | i d t | o
------------+---------------------------------+-------+-------
   0.7.6-r1 | ~ + ~ o o + + + o o o o o o o o | 4 o 0 | gentoo
[I]0.7.6-r2 | ~ ~ ~ o o ~ ~ ~ o o o o o o o o | 6 o   | gentoo

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2017-12-08 20:39:59 UTC

x86 stable

Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev

2017-12-10 23:01:00 UTC

ppc/ppc64 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2017-12-14 16:49:39 UTC

Added to an existing GLSA.

Comment 6 Agostino Sarubbo gentoo-dev

2017-12-14 20:27:30 UTC

amd64 stable.

Maintainer(s), please cleanup.

Comment 7 Sebastian Pipping gentoo-dev

2018-01-03 19:37:01 UTC

(In reply to Agostino Sarubbo from comment #6)
> Maintainer(s), please cleanup.

commit f836c9c5676d9d55c4082ac0343122755ccdf9d9
Author: Sebastian Pipping <sping@g.o>
Date:   Wed Jan 3 20:36:06 2018 +0100

    media-gfx/optipng: Remove 0.7.6-r1 (bug 639690)
    
    Package-Manager: Portage-2.3.16, Repoman-2.3.6

 media-gfx/optipng/optipng-0.7.6-r1.ebuild | 56 -------------------------------
 1 file changed, 56 deletions(-)

https://github.com/gentoo/gentoo/commit/f836c9c5676d9d55c4082ac0343122755ccdf9d9

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2018-01-07 23:18:00 UTC

This issue was resolved and addressed in
 GLSA 201801-02 at https://security.gentoo.org/glsa/201801-02
by GLSA coordinator Aaron Bauman (b-man).