Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 915342 (CVE-2023-43907) - <media-gfx/optipng-0.7.8: out-of-bounds read
Summary: <media-gfx/optipng-0.7.8: out-of-bounds read
Status: CONFIRMED
Alias: CVE-2023-43907
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://sourceforge.net/p/optipng/bug...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 916853
Blocks:
  Show dependency tree
 
Reported: 2023-10-07 18:37 UTC by Sebastian Pipping
Modified: 2023-11-06 06:51 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Pipping gentoo-dev 2023-10-07 18:37:01 UTC
I came across unfixed CVE-2023-43907 for OptiPNG at https://repology.org/project/optipng/versions .  Have not seen a public patch yet.
Comment 1 Agostino Sarubbo gentoo-dev 2023-10-08 06:54:25 UTC
Hi @sping, thanks for the report.

Based on what I'm reading in the upstream ticket linked by you I can see:
> READ of size 1 at 0x000000e73918 thread T0

Because of that I'm changing our Summary from write to read, but if I'm wrong please correct me. Thanks
Comment 2 Larry the Git Cow gentoo-dev 2023-11-04 00:23:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79476d4b145a4a6b0cbc0e73a6cefb5d584bf8fa

commit 79476d4b145a4a6b0cbc0e73a6cefb5d584bf8fa
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2023-11-04 00:19:05 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2023-11-04 00:19:42 +0000

    media-gfx/optipng: 0.7.8 + EAPI 8 + CVE-2023-43907
    
    Bug: https://bugs.gentoo.org/915342
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>

 media-gfx/optipng/Manifest             |  1 +
 media-gfx/optipng/optipng-0.7.8.ebuild | 56 ++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2023-11-05 12:42:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6bd8390a72c5b210b5c488f7b95a872952c47a71

commit 6bd8390a72c5b210b5c488f7b95a872952c47a71
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2023-11-05 12:41:38 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2023-11-05 12:41:38 +0000

    media-gfx/optipng: Drop vulnerable
    
    Bug: https://bugs.gentoo.org/915342
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>

 media-gfx/optipng/Manifest                |  1 -
 media-gfx/optipng/optipng-0.7.7-r1.ebuild | 59 -------------------------------
 2 files changed, 60 deletions(-)