Comment 1 Christopher Díaz Riveros (RETIRED) 2017-11-17 14:45:28 UTC

@Maintainer please let us know when a fixed version is available in tree.

Thank you

Comment 2 Sebastian Pipping 2017-11-17 17:23:32 UTC

I could not find a patch or a new release upstream so I have contacted upstream now.

Comment 3 Christopher Díaz Riveros (RETIRED) 2017-11-17 17:41:24 UTC

(In reply to Sebastian Pipping from comment #2)
> I could not find a patch or a new release upstream so I have contacted
> upstream now.

Hi Sebastian, maybe the comment was not clear enough.

As whiteboard shows [upstream] status is given to a bug that has not yet been fixed upstream. Since the CVE was made public today we keep this report for internal tracking purposes.

Hope it's clearer now and thanks to you for such a fast reply.

Comment 4 Sebastian Pipping 2017-11-21 19:59:36 UTC

Patch submitted upstream by now, applying downstream:


commit f6e0b2dea97f6b8f437b32c0602d654dac8fb64c
Author: Sebastian Pipping <sping@g.o>
Date:   Tue Nov 21 20:56:03 2017 +0100

    media-gfx/optipng: CVE-2017-1000229
    
    Package-Manager: Portage-2.3.10, Repoman-2.3.3

 .../files/optipng-0.7.6-cve-2017-1000229.patch     | 25 ++++++++++
 media-gfx/optipng/optipng-0.7.6-r1.ebuild          | 56 ++++++++++++++++++++++
 2 files changed, 81 insertions(+)

https://github.com/gentoo/gentoo/commit/f6e0b2dea97f6b8f437b32c0602d654dac8fb64c

Comment 5 Christopher Díaz Riveros (RETIRED) 2017-11-21 22:18:38 UTC

(In reply to Sebastian Pipping from comment #4)

Thank you, please call for stabilization when appropriate or let us know.

Comment 6 Sebastian Pipping 2017-11-22 15:42:49 UTC

(In reply to Christopher Díaz Riveros from comment #5)
> Thank you, please call for stabilization when appropriate or let us know.

Adding arches...


# eshowkw 
Keywords for media-gfx/optipng:
            |                                 |   u   |  
            | a a         p   a     n r     s |   n   |  
            | l m   h i   p   r m m i i s   p | e u s | r
            | p d a p a p c x m i 6 o s 3   a | a s l | e
            | h 6 r p 6 p 6 8 6 p 8 s c 9 s r | p e o | p
            | a 4 m a 4 c 4 6 4 s k 2 v 0 h c | i d t | o
------------+---------------------------------+-------+-------
   0.7.6    | ~ + ~ o o + + + o o o o o o o o | 4 o 0 | gentoo
[I]0.7.6-r1 | ~ ~ ~ o o ~ ~ ~ o o o o o o o o | 4 o   | gentoo

Comment 7 Sergei Trofimovich (RETIRED) 2017-11-23 23:08:01 UTC

ppc/ppc64 stable

Comment 8 Agostino Sarubbo 2017-11-24 13:24:29 UTC

amd64 stable

Comment 9 Thomas Deutschmann (RETIRED) 2017-11-27 00:21:51 UTC

x86 stable

@ Maintainer(s): Please cleanup and drop <media-gfx/optipng-0.7.6-r1!

Comment 10 Sebastian Pipping 2017-11-29 12:27:21 UTC

(In reply to Thomas Deutschmann from comment #9)
> @ Maintainer(s): Please cleanup and drop <media-gfx/optipng-0.7.6-r1!

commit db692c4edd486975c504a1107891cfc576f49ec4
Author: Sebastian Pipping <sping@g.o>
Date:   Wed Nov 29 13:25:58 2017 +0100

    media-gfx/optipng: Remove vulnerable (CVE-2017-1000229)
    
    Package-Manager: Portage-2.3.16, Repoman-2.3.6

 media-gfx/optipng/optipng-0.7.6.ebuild | 55 ----------------------------------
 1 file changed, 55 deletions(-)

https://github.com/gentoo/gentoo/commit/db692c4edd486975c504a1107891cfc576f49ec4

New GLSA request filed.

Gentoo Security Padawan
(jmbailey/mbailey_j)

Comment 12 GLSAMaker/CVETool Bot 2018-01-07 23:17:52 UTC

This issue was resolved and addressed in
 GLSA 201801-02 at https://security.gentoo.org/glsa/201801-02
by GLSA coordinator Aaron Bauman (b-man).