CVE-2017-1000229 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000229): Integer overflow bug in function minitiff_read_info() of optipng 0.7.6 allows an attacker to remotely execute code or cause denial of service.
@Maintainer please let us know when a fixed version is available in tree. Thank you
I could not find a patch or a new release upstream so I have contacted upstream now.
(In reply to Sebastian Pipping from comment #2) > I could not find a patch or a new release upstream so I have contacted > upstream now. Hi Sebastian, maybe the comment was not clear enough. As whiteboard shows [upstream] status is given to a bug that has not yet been fixed upstream. Since the CVE was made public today we keep this report for internal tracking purposes. Hope it's clearer now and thanks to you for such a fast reply.
Patch submitted upstream by now, applying downstream: commit f6e0b2dea97f6b8f437b32c0602d654dac8fb64c Author: Sebastian Pipping <sping@g.o> Date: Tue Nov 21 20:56:03 2017 +0100 media-gfx/optipng: CVE-2017-1000229 Package-Manager: Portage-2.3.10, Repoman-2.3.3 .../files/optipng-0.7.6-cve-2017-1000229.patch | 25 ++++++++++ media-gfx/optipng/optipng-0.7.6-r1.ebuild | 56 ++++++++++++++++++++++ 2 files changed, 81 insertions(+) https://github.com/gentoo/gentoo/commit/f6e0b2dea97f6b8f437b32c0602d654dac8fb64c
(In reply to Sebastian Pipping from comment #4) Thank you, please call for stabilization when appropriate or let us know.
(In reply to Christopher Díaz Riveros from comment #5) > Thank you, please call for stabilization when appropriate or let us know. Adding arches... # eshowkw Keywords for media-gfx/optipng: | | u | | a a p a n r s | n | | l m h i p r m m i i s p | e u s | r | p d a p a p c x m i 6 o s 3 a | a s l | e | h 6 r p 6 p 6 8 6 p 8 s c 9 s r | p e o | p | a 4 m a 4 c 4 6 4 s k 2 v 0 h c | i d t | o ------------+---------------------------------+-------+------- 0.7.6 | ~ + ~ o o + + + o o o o o o o o | 4 o 0 | gentoo [I]0.7.6-r1 | ~ ~ ~ o o ~ ~ ~ o o o o o o o o | 4 o | gentoo
ppc/ppc64 stable
amd64 stable
x86 stable @ Maintainer(s): Please cleanup and drop <media-gfx/optipng-0.7.6-r1!
(In reply to Thomas Deutschmann from comment #9) > @ Maintainer(s): Please cleanup and drop <media-gfx/optipng-0.7.6-r1! commit db692c4edd486975c504a1107891cfc576f49ec4 Author: Sebastian Pipping <sping@g.o> Date: Wed Nov 29 13:25:58 2017 +0100 media-gfx/optipng: Remove vulnerable (CVE-2017-1000229) Package-Manager: Portage-2.3.16, Repoman-2.3.6 media-gfx/optipng/optipng-0.7.6.ebuild | 55 ---------------------------------- 1 file changed, 55 deletions(-) https://github.com/gentoo/gentoo/commit/db692c4edd486975c504a1107891cfc576f49ec4
New GLSA request filed. Gentoo Security Padawan (jmbailey/mbailey_j)
This issue was resolved and addressed in GLSA 201801-02 at https://security.gentoo.org/glsa/201801-02 by GLSA coordinator Aaron Bauman (b-man).