Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 637936 (CVE-2017-1000229) - <media-gfx/optipng-0.7.6-r1: integer overflow (CVE-2017-1000229)
Summary: <media-gfx/optipng-0.7.6-r1: integer overflow (CVE-2017-1000229)
Status: RESOLVED FIXED
Alias: CVE-2017-1000229
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://sourceforge.net/p/optipng/bug...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-17 14:44 UTC by GLSAMaker/CVETool Bot
Modified: 2018-01-07 23:17 UTC (History)
1 user (show)

See Also:
Package list:
=media-gfx/optipng-0.7.6-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-17 14:44:03 UTC
CVE-2017-1000229 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000229):
  Integer overflow bug in function minitiff_read_info() of optipng 0.7.6
  allows an attacker to remotely execute code or cause denial of service.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-17 14:45:28 UTC
@Maintainer please let us know when a fixed version is available in tree.

Thank you
Comment 2 Sebastian Pipping gentoo-dev 2017-11-17 17:23:32 UTC
I could not find a patch or a new release upstream so I have contacted upstream now.
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-17 17:41:24 UTC
(In reply to Sebastian Pipping from comment #2)
> I could not find a patch or a new release upstream so I have contacted
> upstream now.

Hi Sebastian, maybe the comment was not clear enough.

As whiteboard shows [upstream] status is given to a bug that has not yet been fixed upstream. Since the CVE was made public today we keep this report for internal tracking purposes.

Hope it's clearer now and thanks to you for such a fast reply.
Comment 4 Sebastian Pipping gentoo-dev 2017-11-21 19:59:36 UTC
Patch submitted upstream by now, applying downstream:


commit f6e0b2dea97f6b8f437b32c0602d654dac8fb64c
Author: Sebastian Pipping <sping@g.o>
Date:   Tue Nov 21 20:56:03 2017 +0100

    media-gfx/optipng: CVE-2017-1000229
    
    Package-Manager: Portage-2.3.10, Repoman-2.3.3

 .../files/optipng-0.7.6-cve-2017-1000229.patch     | 25 ++++++++++
 media-gfx/optipng/optipng-0.7.6-r1.ebuild          | 56 ++++++++++++++++++++++
 2 files changed, 81 insertions(+)

https://github.com/gentoo/gentoo/commit/f6e0b2dea97f6b8f437b32c0602d654dac8fb64c
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-21 22:18:38 UTC
(In reply to Sebastian Pipping from comment #4)

Thank you, please call for stabilization when appropriate or let us know.
Comment 6 Sebastian Pipping gentoo-dev 2017-11-22 15:42:49 UTC
(In reply to Christopher Díaz Riveros from comment #5)
> Thank you, please call for stabilization when appropriate or let us know.

Adding arches...


# eshowkw 
Keywords for media-gfx/optipng:
            |                                 |   u   |  
            | a a         p   a     n r     s |   n   |  
            | l m   h i   p   r m m i i s   p | e u s | r
            | p d a p a p c x m i 6 o s 3   a | a s l | e
            | h 6 r p 6 p 6 8 6 p 8 s c 9 s r | p e o | p
            | a 4 m a 4 c 4 6 4 s k 2 v 0 h c | i d t | o
------------+---------------------------------+-------+-------
   0.7.6    | ~ + ~ o o + + + o o o o o o o o | 4 o 0 | gentoo
[I]0.7.6-r1 | ~ ~ ~ o o ~ ~ ~ o o o o o o o o | 4 o   | gentoo
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-23 23:08:01 UTC
ppc/ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-11-24 13:24:29 UTC
amd64 stable
Comment 9 Thomas Deutschmann gentoo-dev Security 2017-11-27 00:21:51 UTC
x86 stable

@ Maintainer(s): Please cleanup and drop <media-gfx/optipng-0.7.6-r1!
Comment 10 Sebastian Pipping gentoo-dev 2017-11-29 12:27:21 UTC
(In reply to Thomas Deutschmann from comment #9)
> @ Maintainer(s): Please cleanup and drop <media-gfx/optipng-0.7.6-r1!

commit db692c4edd486975c504a1107891cfc576f49ec4
Author: Sebastian Pipping <sping@g.o>
Date:   Wed Nov 29 13:25:58 2017 +0100

    media-gfx/optipng: Remove vulnerable (CVE-2017-1000229)
    
    Package-Manager: Portage-2.3.16, Repoman-2.3.6

 media-gfx/optipng/optipng-0.7.6.ebuild | 55 ----------------------------------
 1 file changed, 55 deletions(-)

https://github.com/gentoo/gentoo/commit/db692c4edd486975c504a1107891cfc576f49ec4
Comment 11 D'juan McDonald (domhnall) 2017-12-03 03:26:08 UTC
New GLSA request filed.

Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2018-01-07 23:17:52 UTC
This issue was resolved and addressed in
 GLSA 201801-02 at https://security.gentoo.org/glsa/201801-02
by GLSA coordinator Aaron Bauman (b-man).