Date: Fri, 3 Nov 2023 21:18:12 GMT From: Robert Clausecker <fuz@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 0a1052798c8e - main - graphics/optipng: Add fix for CVE-2023-43907 Message-ID: <202311032118.3A3LICDC098696@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by fuz: URL: https://cgit.FreeBSD.org/ports/commit/?id=0a1052798c8e4879ca869b9032830a4ca00b1c02 commit 0a1052798c8e4879ca869b9032830a4ca00b1c02 Author: Thomas Hurst <tom@hur.st> AuthorDate: 2023-10-30 22:45:22 +0000 Commit: Robert Clausecker <fuz@FreeBSD.org> CommitDate: 2023-11-03 21:16:19 +0000 graphics/optipng: Add fix for CVE-2023-43907 - Add a bounds check to prevent out-of-bounds read of buffer on specially-formed GIF files. - Remove BUNDLED_LIBPNG and BUNDLED_ZLIB, as the supplied versions are well out of date and offer no noted advantages. PR: 274822 MFH: 2023Q4 Security: fe7ac70a-792b-11ee-bf9a-a04a5edf46d9 --- graphics/optipng/Makefile | 28 ++++++++++------------ graphics/optipng/files/patch-src_gifread_gifread.c | 14 +++++++++++ 2 files changed, 26 insertions(+), 16 deletions(-) diff --git a/graphics/optipng/Makefile b/graphics/optipng/Makefile index adf3fcdb59be..acbe6053199d 100644 --- a/graphics/optipng/Makefile +++ b/graphics/optipng/Makefile @@ -1,36 +1,32 @@ PORTNAME= optipng -PORTVERSION= 0.7.7 +DISTVERSION= 0.7.7 +PORTREVISION= 1 CATEGORIES= graphics MASTER_SITES= SF/${PORTNAME}/OptiPNG/${PORTNAME}-${PORTVERSION} MAINTAINER= tom@hur.st COMMENT= Optimizer for PNG files -WWW= http://optipng.sourceforge.net/ +WWW= https://optipng.sourceforge.net/ LICENSE= ZLIB LICENSE_FILE= ${WRKSRC}/LICENSE.txt -OPTIONS_DEFINE= BUNDLED_LIBPNG BUNDLED_ZLIB DOCS +LIB_DEPENDS= libpng.so:graphics/png -BUNDLED_LIBPNG_DESC= Use bundled libpng -BUNDLED_LIBPNG_CONFIGURE_OFF= --with-system-libpng -BUNDLED_LIBPNG_CONFIGURE_ON= --without-system-libpng -BUNDLED_LIBPNG_LIB_DEPENDS_OFF= libpng.so:graphics/png -BUNDLED_LIBPNG_USES_OFF= localbase:ldflags - -BUNDLED_ZLIB_DESC= Use bundled zlib -BUNDLED_ZLIB_CONFIGURE_OFF= --with-system-zlib -BUNDLED_ZLIB_CONFIGURE_ON= --without-system-zlib +USES= cpe gmake localbase:ldflags +CPE_VENDOR= optipng_project -USES= cpe gmake HAS_CONFIGURE= yes +CONFIGURE_ARGS= --with-system-libpng \ + --with-system-zlib -CPE_VENDOR= optipng_project - -PLIST_FILES= bin/optipng man/man1/optipng.1.gz +PLIST_FILES= bin/optipng \ + man/man1/optipng.1.gz PORTDOCS= history.txt optipng.man.html optipng.man.pdf optipng.man.txt \ png_optimization.html todo.txt +OPTIONS_DEFINE= DOCS + do-install: ${INSTALL_PROGRAM} ${WRKSRC}/src/optipng/optipng ${STAGEDIR}${PREFIX}/bin/ ${INSTALL_MAN} ${WRKSRC}/src/optipng/man/optipng.1 ${STAGEDIR}${MAN1PREFIX}/man/man1/ diff --git a/graphics/optipng/files/patch-src_gifread_gifread.c b/graphics/optipng/files/patch-src_gifread_gifread.c new file mode 100644 index 000000000000..bfc0112026c5 --- /dev/null +++ b/graphics/optipng/files/patch-src_gifread_gifread.c @@ -0,0 +1,14 @@ +--- src/gifread/gifread.c.orig 2017-12-10 23:49:00 UTC ++++ src/gifread/gifread.c +@@ -363,6 +363,11 @@ static int LZWGetCode(int code_size, int init_flag, FI + lastbit = (2 + count) * 8; + } + ++ if (code_size && (size_t)(curbit + code_size - 1) / 8 >= sizeof(buffer)) { ++ GIFError("Malformed GIF (CVE-2023-43907)"); ++ return -1; ++ } ++ + ret = 0; + for (i = curbit, j = 0; j < code_size; ++i, ++j) + ret |= ((buffer[i / 8] & (1 << (i % 8))) != 0) << j;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202311032118.3A3LICDC098696>