Created attachment 246007 [details] Patch for graphics/optipng Patch in a bounds check in gifread.c, verified as preventing the out of bounds 1 byte read demonstrated by https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/optipng-global-buffer-overflow1/optipng-global-buffer-overflow1.md The optional configuration for using bundled libraries has been removed due to their age (with several CVEs noted in libpng since) and lack of any demonstrated benefit.
Created attachment 246008 [details] Updated patch for graphics/optipng Some irony in being off by one in the other direction.
Created attachment 246009 [details] Updated, updated patch for graphics/optipng No point guarding the loop if code_size = 0, since it'll never execute.
Will MFH and add VuXML entry.
Thanks! Upstream suggests we may see a 0.7.8 in the next day or so if you wanted to save some churn.
Just replace the patch when it gets to that and I'll try to get it in.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=058d72efccdaaff3cca0d5780fb3de61d64a5321 commit 058d72efccdaaff3cca0d5780fb3de61d64a5321 Author: Robert Clausecker <fuz@FreeBSD.org> AuthorDate: 2023-11-02 03:04:33 +0000 Commit: Robert Clausecker <fuz@FreeBSD.org> CommitDate: 2023-11-03 21:16:08 +0000 security/vuxml: document optipng vulnerability PR: 274822 Reported by: Thomas Hurst <tom@hur.st> security/vuxml/vuln/2023.xml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=0a1052798c8e4879ca869b9032830a4ca00b1c02 commit 0a1052798c8e4879ca869b9032830a4ca00b1c02 Author: Thomas Hurst <tom@hur.st> AuthorDate: 2023-10-30 22:45:22 +0000 Commit: Robert Clausecker <fuz@FreeBSD.org> CommitDate: 2023-11-03 21:16:19 +0000 graphics/optipng: Add fix for CVE-2023-43907 - Add a bounds check to prevent out-of-bounds read of buffer on specially-formed GIF files. - Remove BUNDLED_LIBPNG and BUNDLED_ZLIB, as the supplied versions are well out of date and offer no noted advantages. PR: 274822 MFH: 2023Q4 Security: fe7ac70a-792b-11ee-bf9a-a04a5edf46d9 graphics/optipng/Makefile | 28 ++++++++++------------ .../files/patch-src_gifread_gifread.c (new) | 14 +++++++++++ 2 files changed, 26 insertions(+), 16 deletions(-)
A commit in branch 2023Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=0ce6caa1ea714ad0ff196f909713648193d8d3ba commit 0ce6caa1ea714ad0ff196f909713648193d8d3ba Author: Thomas Hurst <tom@hur.st> AuthorDate: 2023-10-30 22:45:22 +0000 Commit: Robert Clausecker <fuz@FreeBSD.org> CommitDate: 2023-11-03 21:20:01 +0000 graphics/optipng: Add fix for CVE-2023-43907 - Add a bounds check to prevent out-of-bounds read of buffer on specially-formed GIF files. - Remove BUNDLED_LIBPNG and BUNDLED_ZLIB, as the supplied versions are well out of date and offer no noted advantages. PR: 274822 MFH: 2023Q4 Security: fe7ac70a-792b-11ee-bf9a-a04a5edf46d9 (cherry picked from commit 0a1052798c8e4879ca869b9032830a4ca00b1c02) graphics/optipng/Makefile | 28 ++++++++++------------ .../files/patch-src_gifread_gifread.c (new) | 14 +++++++++++ 2 files changed, 26 insertions(+), 16 deletions(-)
Committed and MFH'ed. Note that diizzy's suggestion to deprecate the port is just that: a suggestion. You are not obliged to follow it. Personally I believe this is an important port that should not be deprecated.
Please update this to 0.7.8, gmake dependency can be dropped and you can also switch to DISTVERSION instead fo PORTVERSION. Deprecation suggestion was based upon known security issue that hadn't been fixed for over month and years or little to no activity at all.