Your message dated Sat, 09 Dec 2017 12:03:01 +0000 with message-id <e1endqp-0004lx...@fasolo.debian.org> and subject line Bug#882032: fixed in optipng 0.7.6-1+deb9u1 has caused the Debian Bug report #882032, regarding optipng: CVE-2017-1000229: Integer Overflow Bug while parsing TIFF input file to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882032: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882032 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: optipng Version: 0.7.6-1 Severity: important Tags: security upstream Forwarded: https://sourceforge.net/p/optipng/bugs/65/ Hi, the following vulnerability was published for optipng. CVE-2017-1000229[0]: | Integer overflow bug in function minitiff_read_info() of optipng 0.7.6 | allows an attacker to remotely execute code or cause denial of | service. With the poc.tiff on upstream bug: ==9473== Memcheck, a memory error detector ==9473== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==9473== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==9473== Command: optipng poc.tiff ==9473== ** Processing: poc.tiff ==9473== Invalid write of size 4 ==9473== at 0x109C53: read_ulong_values (tiffread.c:131) ==9473== by 0x117504: minitiff_read_info (tiffread.c:358) ==9473== by 0x114B07: pngx_read_tiff (pngxrtif.c:85) ==9473== by 0x11272C: pngx_read_image (pngxread.c:130) ==9473== by 0x10CABF: opng_read_file (optim.c:939) ==9473== by 0x10DE99: opng_optimize_impl (optim.c:1503) ==9473== by 0x10EC28: opng_optimize (optim.c:1853) ==9473== by 0x10A30E: process_files (optipng.c:941) ==9473== by 0x10A30E: main (optipng.c:975) ==9473== Address 0x4aa56cc is 0 bytes after a block of size 4 alloc'd ==9473== at 0x482E2BC: malloc (vg_replace_malloc.c:299) ==9473== by 0x1174CA: minitiff_read_info (tiffread.c:353) ==9473== by 0x114B07: pngx_read_tiff (pngxrtif.c:85) ==9473== by 0x11272C: pngx_read_image (pngxread.c:130) ==9473== by 0x10CABF: opng_read_file (optim.c:939) ==9473== by 0x10DE99: opng_optimize_impl (optim.c:1503) ==9473== by 0x10EC28: opng_optimize (optim.c:1853) ==9473== by 0x10A30E: process_files (optipng.c:941) ==9473== by 0x10A30E: main (optipng.c:975) ==9473== Error: Error reading TIFF file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. ==9473== ==9473== HEAP SUMMARY: ==9473== in use at exit: 4 bytes in 1 blocks ==9473== total heap usage: 5 allocs, 4 frees, 5,600 bytes allocated ==9473== ==9473== LEAK SUMMARY: ==9473== definitely lost: 4 bytes in 1 blocks ==9473== indirectly lost: 0 bytes in 0 blocks ==9473== possibly lost: 0 bytes in 0 blocks ==9473== still reachable: 0 bytes in 0 blocks ==9473== suppressed: 0 bytes in 0 blocks ==9473== Rerun with --leak-check=full to see details of leaked memory ==9473== ==9473== For counts of detected and suppressed errors, rerun with: -v ==9473== ERROR SUMMARY: 262143 errors from 1 contexts (suppressed: 0 from 0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-1000229 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000229 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: optipng Source-Version: 0.7.6-1+deb9u1 We believe that the bug you reported is fixed in the latest version of optipng, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 882...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated optipng package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 07 Dec 2017 21:42:04 +0100 Source: optipng Binary: optipng Architecture: source Version: 0.7.6-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 878839 882032 Description: optipng - advanced PNG (Portable Network Graphics) optimizer Changes: optipng (0.7.6-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent integer overflow in minitiff_read_info() (CVE-2017-1000229) (Closes: #882032) * gifread: Detect indirect circular dependencies in LZW tables (CVE-2017-16938) (Closes: #878839) Checksums-Sha1: 9f1dc801a97f22f995446910d6fac6573da854de 2183 optipng_0.7.6-1+deb9u1.dsc abc480543b85d227db4a84be80ae2dd8a8e53a66 200670 optipng_0.7.6.orig.tar.gz 2ea608a8c694116b801b98268b90c664e6c0361c 5976 optipng_0.7.6-1+deb9u1.debian.tar.bz2 Checksums-Sha256: e283b8af9c96d29fda091b9bc383e3f91c33424698da3e0ca060c4fa3486babc 2183 optipng_0.7.6-1+deb9u1.dsc cd7eccd51f15c789e61041b3e03260e2886e74a274c9a6513a1f6db6cce07dc8 200670 optipng_0.7.6.orig.tar.gz 79c6b09880fe5c2d72f261caac08f297abf2ca267024f2db00316e63eaf83bed 5976 optipng_0.7.6-1+deb9u1.debian.tar.bz2 Files: 952cd81e91d3f9ff2d80af1d6bfa3453 2183 graphics optional optipng_0.7.6-1+deb9u1.dsc c36836166ec3b6a12a75600fdb73e6ce 200670 graphics optional optipng_0.7.6.orig.tar.gz c8c3f9d47a9a0c885d2c9786c83f8ae5 5976 graphics optional optipng_0.7.6-1+deb9u1.debian.tar.bz2 -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlopqC9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EiWEP/1ldAZiQVcD/F9w2pcFttzbHmF5o5V+R i+rIh1xHKiepOGxGvBj/Rp0vZJQUHNo/bQuirtBO3drZ+G5QhatFBFEhgiuUpp1Q 1kd8c7wnWCMVq7lza0zacWX6KONABbYOLmO3FLFPjv02HfpCcduP5rV+6U9UgJfB UZWy4+1/k1TnKGmLxU0aN6q41yVFqa6ci8w4qYeJ09oPcE4Cap3ZV1xP7gMFVggf nOUJfRyejDHzeg6AUupMv/7VRR3I4s0qg5m5cPUGR0o3IUOc6hUZFrExHIEXckZD YiXy9/RbEkC7LiaicMRKxEHn6TTB/ftWX+G5xwcajV4wKYvBGikLHd8Jwz5++dBK aeg0fKh+9O1T05Hsc1GxBFD8crAdtIDa3jhSaiVBeqDseBIrNFlZJmcjq1ua2DKe 8wcWtlNucTbF1PSH4LsHr9vPeZwyor5FZdFEdL9rSiBaGso5hRAoYqt04R0HbrwV CHn32Q7CA91dAIgrutwbnTUalZjh61Oab5lO3ZOmTDo3jPZyiE/lkzbSt+bpAiKx pe58/aBWILOKuVzehfxpA69bp002QtNAkGOesCj8suqc2AP4C7WxEczgNsjePYvA qRBVTsKJxw2KMjuoBSzwffAVx7OVQ+zlY57tT1SMw/t108nSEpbe9rdotQZlJ8uF 5Xpl657y9aIY =RNAL -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Pkg-phototools-devel mailing list Pkg-phototools-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-phototools-devel
