I came across unfixed CVE-2023-43907 for OptiPNG at https://repology.org/project/optipng/versions . Have not seen a public patch yet.
Hi @sping, thanks for the report. Based on what I'm reading in the upstream ticket linked by you I can see: > READ of size 1 at 0x000000e73918 thread T0 Because of that I'm changing our Summary from write to read, but if I'm wrong please correct me. Thanks
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79476d4b145a4a6b0cbc0e73a6cefb5d584bf8fa commit 79476d4b145a4a6b0cbc0e73a6cefb5d584bf8fa Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2023-11-04 00:19:05 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2023-11-04 00:19:42 +0000 media-gfx/optipng: 0.7.8 + EAPI 8 + CVE-2023-43907 Bug: https://bugs.gentoo.org/915342 Signed-off-by: Sebastian Pipping <sping@gentoo.org> media-gfx/optipng/Manifest | 1 + media-gfx/optipng/optipng-0.7.8.ebuild | 56 ++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6bd8390a72c5b210b5c488f7b95a872952c47a71 commit 6bd8390a72c5b210b5c488f7b95a872952c47a71 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2023-11-05 12:41:38 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2023-11-05 12:41:38 +0000 media-gfx/optipng: Drop vulnerable Bug: https://bugs.gentoo.org/915342 Signed-off-by: Sebastian Pipping <sping@gentoo.org> media-gfx/optipng/Manifest | 1 - media-gfx/optipng/optipng-0.7.7-r1.ebuild | 59 ------------------------------- 2 files changed, 60 deletions(-)
