224960 – graphics/optipng: update to 0.7.7

Bug 224960 - graphics/optipng: update to 0.7.7

Summary: graphics/optipng: update to 0.7.7

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Yuri Victorovich

URL:
Keywords:	patch, security

Depends on:
Blocks:

Reported:	2018-01-06 23:59 UTC by Vidar Karlsen
Modified:	2018-02-12 10:02 UTC (History)
CC List:	2 users (show)

See Also:

Flags:	yuri: maintainer-feedback+ vidar: merge-quarterly?

Attachments
Patch to update optipng to 0.7.7 (2.08 KB, patch) 2018-01-06 23:59 UTC, Vidar Karlsen	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vidar Karlsen 2018-01-06 23:59:23 UTC

Created attachment 189482 [details]
Patch to update optipng to 0.7.7

Update OptiPNG to 0.7.7

This fixes two security vulnerabilities, a buffer overflow vulnerability
in the GIF decoder and an integer overflow vulnerability in the TIFF decoder.

CVE-2017-16938:
A global buffer overflow in OptiPNG 0.7.6 allows remote attackers to cause
a denial-of-service attack or other unspecified impact with a maliciously
crafted GIF format file, related to an uncontrolled loop in the LZWReadByte
function of the gifread.c file.

CVE-2017-1000229:
Integer overflow bug in function minitiff_read_info() of optipng 0.7.6
allows an attacker to remotely execute code or cause denial of service.

QA of the attached patch:
portlint -A: looks fine.
poudriere testport FreeBSD 11.1 amd64: ok
poudriere testport FreeBSD 11.1 i386:  ok
poudriere testport FreeBSD 10.4 amd64: ok
poudriere testport FreeBSD 10.4 i386:  ok
poudriere testport FreeBSD 10.3 amd64: ok
poudriere testport FreeBSD 10.3 i386:  ok

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16938
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000229
http://optipng.sourceforge.net/

Comment 1 Yuri Victorovich freebsd_committer

2018-02-12 09:59:59 UTC

Timeout expired.

Comment 2 Yuri Victorovich freebsd_committer

2018-02-12 10:02:10 UTC

Committed, thanks!

Comment 3 commit-hook freebsd_committer

2018-02-12 10:02:54 UTC

A commit references this bug:

Author: yuri
Date: Mon Feb 12 10:02:03 UTC 2018
New revision: 461572
URL: https://svnweb.freebsd.org/changeset/ports/461572

Log:
  graphics/optipng: Update to 0.7.7

  PR:		224960
  Submitted by:	Vidar Karlsen <vidar@karlsen.tech>
  Approved by:	timeout expired, tcberner (mentor, implicit)

Changes:
  head/graphics/optipng/Makefile
  head/graphics/optipng/distinfo
  head/graphics/optipng/files/patch-src_pngxtern_pngxmem.c