Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 06 Jan 2018 23:59:23 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 224960] graphics/optipng: update to 0.7.7
Message-ID:  <bug-224960-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224960

            Bug ID: 224960
           Summary: graphics/optipng: update to 0.7.7
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch, security
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs@FreeBSD.org
          Reporter: vidar@karlsen.tech
                CC: tom@hur.st
             Flags: maintainer-feedback?(tom@hur.st)
                CC: tom@hur.st

Created attachment 189482
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D189482&action=
=3Dedit
Patch to update optipng to 0.7.7

Update OptiPNG to 0.7.7

This fixes two security vulnerabilities, a buffer overflow vulnerability
in the GIF decoder and an integer overflow vulnerability in the TIFF decode=
r.

CVE-2017-16938:
A global buffer overflow in OptiPNG 0.7.6 allows remote attackers to cause
a denial-of-service attack or other unspecified impact with a maliciously
crafted GIF format file, related to an uncontrolled loop in the LZWReadByte
function of the gifread.c file.

CVE-2017-1000229:
Integer overflow bug in function minitiff_read_info() of optipng 0.7.6
allows an attacker to remotely execute code or cause denial of service.

QA of the attached patch:
portlint -A: looks fine.
poudriere testport FreeBSD 11.1 amd64: ok
poudriere testport FreeBSD 11.1 i386:  ok
poudriere testport FreeBSD 10.4 amd64: ok
poudriere testport FreeBSD 10.4 i386:  ok
poudriere testport FreeBSD 10.3 amd64: ok
poudriere testport FreeBSD 10.3 i386:  ok

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-16938
https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-1000229
http://optipng.sourceforge.net/

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-224960-13>