Source: optipng Version: 0.7.6-1 Severity: important Tags: security upstream Forwarded: https://sourceforge.net/p/optipng/bugs/65/
Hi, the following vulnerability was published for optipng. CVE-2017-1000229[0]: | Integer overflow bug in function minitiff_read_info() of optipng 0.7.6 | allows an attacker to remotely execute code or cause denial of | service. With the poc.tiff on upstream bug: ==9473== Memcheck, a memory error detector ==9473== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==9473== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==9473== Command: optipng poc.tiff ==9473== ** Processing: poc.tiff ==9473== Invalid write of size 4 ==9473== at 0x109C53: read_ulong_values (tiffread.c:131) ==9473== by 0x117504: minitiff_read_info (tiffread.c:358) ==9473== by 0x114B07: pngx_read_tiff (pngxrtif.c:85) ==9473== by 0x11272C: pngx_read_image (pngxread.c:130) ==9473== by 0x10CABF: opng_read_file (optim.c:939) ==9473== by 0x10DE99: opng_optimize_impl (optim.c:1503) ==9473== by 0x10EC28: opng_optimize (optim.c:1853) ==9473== by 0x10A30E: process_files (optipng.c:941) ==9473== by 0x10A30E: main (optipng.c:975) ==9473== Address 0x4aa56cc is 0 bytes after a block of size 4 alloc'd ==9473== at 0x482E2BC: malloc (vg_replace_malloc.c:299) ==9473== by 0x1174CA: minitiff_read_info (tiffread.c:353) ==9473== by 0x114B07: pngx_read_tiff (pngxrtif.c:85) ==9473== by 0x11272C: pngx_read_image (pngxread.c:130) ==9473== by 0x10CABF: opng_read_file (optim.c:939) ==9473== by 0x10DE99: opng_optimize_impl (optim.c:1503) ==9473== by 0x10EC28: opng_optimize (optim.c:1853) ==9473== by 0x10A30E: process_files (optipng.c:941) ==9473== by 0x10A30E: main (optipng.c:975) ==9473== Error: Error reading TIFF file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. ==9473== ==9473== HEAP SUMMARY: ==9473== in use at exit: 4 bytes in 1 blocks ==9473== total heap usage: 5 allocs, 4 frees, 5,600 bytes allocated ==9473== ==9473== LEAK SUMMARY: ==9473== definitely lost: 4 bytes in 1 blocks ==9473== indirectly lost: 0 bytes in 0 blocks ==9473== possibly lost: 0 bytes in 0 blocks ==9473== still reachable: 0 bytes in 0 blocks ==9473== suppressed: 0 bytes in 0 blocks ==9473== Rerun with --leak-check=full to see details of leaked memory ==9473== ==9473== For counts of detected and suppressed errors, rerun with: -v ==9473== ERROR SUMMARY: 262143 errors from 1 contexts (suppressed: 0 from 0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-1000229 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000229 Please adjust the affected versions in the BTS as needed. Regards, Salvatore _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team