Bug 224960 - graphics/optipng: update to 0.7.7
Summary: graphics/optipng: update to 0.7.7
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Yuri Victorovich
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2018-01-06 23:59 UTC by Vidar Karlsen
Modified: 2018-02-12 10:02 UTC (History)
2 users (show)

See Also:
yuri: maintainer-feedback+
vidar: merge-quarterly?


Attachments
Patch to update optipng to 0.7.7 (2.08 KB, patch)
2018-01-06 23:59 UTC, Vidar Karlsen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Vidar Karlsen 2018-01-06 23:59:23 UTC
Created attachment 189482 [details]
Patch to update optipng to 0.7.7

Update OptiPNG to 0.7.7

This fixes two security vulnerabilities, a buffer overflow vulnerability
in the GIF decoder and an integer overflow vulnerability in the TIFF decoder.

CVE-2017-16938:
A global buffer overflow in OptiPNG 0.7.6 allows remote attackers to cause
a denial-of-service attack or other unspecified impact with a maliciously
crafted GIF format file, related to an uncontrolled loop in the LZWReadByte
function of the gifread.c file.

CVE-2017-1000229:
Integer overflow bug in function minitiff_read_info() of optipng 0.7.6
allows an attacker to remotely execute code or cause denial of service.

QA of the attached patch:
portlint -A: looks fine.
poudriere testport FreeBSD 11.1 amd64: ok
poudriere testport FreeBSD 11.1 i386:  ok
poudriere testport FreeBSD 10.4 amd64: ok
poudriere testport FreeBSD 10.4 i386:  ok
poudriere testport FreeBSD 10.3 amd64: ok
poudriere testport FreeBSD 10.3 i386:  ok

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16938
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000229
http://optipng.sourceforge.net/
Comment 1 Yuri Victorovich freebsd_committer 2018-02-12 09:59:59 UTC
Timeout expired.
Comment 2 Yuri Victorovich freebsd_committer 2018-02-12 10:02:10 UTC
Committed, thanks!
Comment 3 commit-hook freebsd_committer 2018-02-12 10:02:54 UTC
A commit references this bug:

Author: yuri
Date: Mon Feb 12 10:02:03 UTC 2018
New revision: 461572
URL: https://svnweb.freebsd.org/changeset/ports/461572

Log:
  graphics/optipng: Update to 0.7.7

  PR:		224960
  Submitted by:	Vidar Karlsen <vidar@karlsen.tech>
  Approved by:	timeout expired, tcberner (mentor, implicit)

Changes:
  head/graphics/optipng/Makefile
  head/graphics/optipng/distinfo
  head/graphics/optipng/files/patch-src_pngxtern_pngxmem.c