Your message dated Sat, 09 Dec 2017 14:38:32 +0000 with message-id <e1enggu-0001eq...@fasolo.debian.org> and subject line Bug#882032: fixed in optipng 0.7.5-1+deb8u2 has caused the Debian Bug report #882032, regarding optipng: CVE-2017-1000229: Integer Overflow Bug while parsing TIFF input file to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882032: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882032 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: optipng Version: 0.7.6-1 Severity: important Tags: security upstream Forwarded: https://sourceforge.net/p/optipng/bugs/65/ Hi, the following vulnerability was published for optipng. CVE-2017-1000229[0]: | Integer overflow bug in function minitiff_read_info() of optipng 0.7.6 | allows an attacker to remotely execute code or cause denial of | service. With the poc.tiff on upstream bug: ==9473== Memcheck, a memory error detector ==9473== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==9473== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==9473== Command: optipng poc.tiff ==9473== ** Processing: poc.tiff ==9473== Invalid write of size 4 ==9473== at 0x109C53: read_ulong_values (tiffread.c:131) ==9473== by 0x117504: minitiff_read_info (tiffread.c:358) ==9473== by 0x114B07: pngx_read_tiff (pngxrtif.c:85) ==9473== by 0x11272C: pngx_read_image (pngxread.c:130) ==9473== by 0x10CABF: opng_read_file (optim.c:939) ==9473== by 0x10DE99: opng_optimize_impl (optim.c:1503) ==9473== by 0x10EC28: opng_optimize (optim.c:1853) ==9473== by 0x10A30E: process_files (optipng.c:941) ==9473== by 0x10A30E: main (optipng.c:975) ==9473== Address 0x4aa56cc is 0 bytes after a block of size 4 alloc'd ==9473== at 0x482E2BC: malloc (vg_replace_malloc.c:299) ==9473== by 0x1174CA: minitiff_read_info (tiffread.c:353) ==9473== by 0x114B07: pngx_read_tiff (pngxrtif.c:85) ==9473== by 0x11272C: pngx_read_image (pngxread.c:130) ==9473== by 0x10CABF: opng_read_file (optim.c:939) ==9473== by 0x10DE99: opng_optimize_impl (optim.c:1503) ==9473== by 0x10EC28: opng_optimize (optim.c:1853) ==9473== by 0x10A30E: process_files (optipng.c:941) ==9473== by 0x10A30E: main (optipng.c:975) ==9473== Error: Error reading TIFF file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. ==9473== ==9473== HEAP SUMMARY: ==9473== in use at exit: 4 bytes in 1 blocks ==9473== total heap usage: 5 allocs, 4 frees, 5,600 bytes allocated ==9473== ==9473== LEAK SUMMARY: ==9473== definitely lost: 4 bytes in 1 blocks ==9473== indirectly lost: 0 bytes in 0 blocks ==9473== possibly lost: 0 bytes in 0 blocks ==9473== still reachable: 0 bytes in 0 blocks ==9473== suppressed: 0 bytes in 0 blocks ==9473== Rerun with --leak-check=full to see details of leaked memory ==9473== ==9473== For counts of detected and suppressed errors, rerun with: -v ==9473== ERROR SUMMARY: 262143 errors from 1 contexts (suppressed: 0 from 0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-1000229 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000229 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: optipng Source-Version: 0.7.5-1+deb8u2 We believe that the bug you reported is fixed in the latest version of optipng, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 882...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated optipng package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 07 Dec 2017 21:47:21 +0100 Source: optipng Binary: optipng Architecture: source Version: 0.7.5-1+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 878839 882032 Description: optipng - advanced PNG (Portable Network Graphics) optimizer Changes: optipng (0.7.5-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent integer overflow in minitiff_read_info() (CVE-2017-1000229) (Closes: #882032) * gifread: Detect indirect circular dependencies in LZW tables (CVE-2017-16938) (Closes: #878839) Checksums-Sha1: 50bee18cfab0bda33d1b5ffb7717fb9c27c1199c 2182 optipng_0.7.5-1+deb8u2.dsc 3d06666b97ceebb1e21d5f3bf3293b05e5b91b50 6632 optipng_0.7.5-1+deb8u2.debian.tar.bz2 Checksums-Sha256: 5a4487aef6ffd16d4f0827fe88c8b2fcafa1dcc6a2c6b53eda62e5bea4f5a025 2182 optipng_0.7.5-1+deb8u2.dsc 1fe95d163db418b457c6fdf68e705fc7651b8898459f9c86ac4e452ac88da3b4 6632 optipng_0.7.5-1+deb8u2.debian.tar.bz2 Files: 48e2b62cc60888311692fa2aa160a39d 2182 graphics optional optipng_0.7.5-1+deb8u2.dsc 3b090bb10709b155af4d3a00f66030ef 6632 graphics optional optipng_0.7.5-1+deb8u2.debian.tar.bz2 -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlopqUlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EaBUP/2IVR5FJRQ0u6M31jfUzfSL9Ajw3EAO6 o8OdNtfLTzNK7D1sPG+zSw5nx2iRNMjMIwA2IGFte4InNYAlniEbsDvYkPSomzyP 53jgbjjHY7Ylt1rUvdxFYl361GtQcGq3jfkFPdQUN0dKsHhtfhrMYwCndN4JuYEG wPXby33841gMDUnnUDsQdpR1fnE6sw7jfk/jylLrmF7Pzn4VMeeiJFL8RSa76i9X vcfVjWlgHtgd6yauacpxGCIBriiApZWEXIVx9iYBMwqz0rfgykU2TXFnThREI4Wj Ofpat9h3+xG4+WK12kxPIeUQvrRcI7f3FPi9tHodXyXfHkauX/0iff8178f+s+BW Xlahy5P8kM/WBFkuCrBRhodAr9MoRt5e5uJqMB1V6n5s39wZiJZhtgBIGqtm0cNj 59fSeq7jHtDXWjI369DTP6JVUgfM9qu/y/6LN5R/KxD3RBPLHfjSOUzHCgI1uSyf aJxZ1suOC48llX+1gEZWSj0oh8GC9jyD8eVyixpaN3f0ngkNFqim/SssMnmlCZY3 uYcfUxRDfqCuZFoOOe8IodwUASnICYhLp7aG3oY1ZVaDRb1igdyyf49naxt2Rmep YqX9aSr9xNTSM1zjsLPGMY5JeDhZqhjoPbWW8JBVrmRb+Z6oTBYw7B+v0ZTSw2p5 hr2jZoPRRBgE =DX9g -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Pkg-phototools-devel mailing list Pkg-phototools-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-phototools-devel
