| Summary: | optipng new security issues CVE-2017-16938 and CVE-2017-1000229 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | dan, davidwhodgins, fri, marja11, smelror, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO has_procedure MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | optipng-0.7.6-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-11-30 21:09:14 CET
David Walser
2017-11-30 21:09:27 CET
Whiteboard:
(none) =>
MGA6TOO, MGA5TOO Assigning to the registered optipng maintainer. CC:
(none) =>
marja11 Patches have been applied in Cauldron and the issue is fixed in optipng-0.7.6-2.mga7. Test procedure to ensure bugs have been fixed: curl -o CVE-2017-1000229.tiff https://sourceforge.net/p/optipng/bugs/65/attachment/poc.tiff curl -o CVE-2017-16938.gif https://sourceforge.net/p/optipng/bugs/69/attachment/poc.gif Run: optipng CVE-2017-16938.gif Unpatched will show: Error: Error reading file or unexpected end of file Patched will show: Error: GIF/LZW error: circular table Run: optipng CVE-2017-1000229.tiff Unpatched i386 will show: Segmentation fault Unpatched x86_64 will show: Error: Out of memory (it's not easy to reproduce the failure on 64 bit arch with the standard optipng) Patched will show: Error: Out of memory To verify that it still optimizes normal png files: Run: cp /usr/share/icons/firefox.png /tmp; optipng /tmp/firefox.png Output should show (on mga6): 97 bytes = 3.92% decrease Whiteboard:
MGA6TOO, MGA5TOO =>
MGA6TOO, MGA5TOO, has_procedure Update for mga5 is building and will be in core/updates_testing: optipng-0.7.6-1.1.mga5 Update for mga6 is building and will be in core/updates_testing: optipng-0.7.6-1.1.mga6 Suggested advisory: ======================== Updated optipng package to fix security vulnerabilities: - CVE-2017-1000229: Fix integer overflow bug in function minitiff_read_info() allows an attacker to remotely execute code or cause denial of service. - CVE-2017-16938: Fix a global buffer overflow that allows attackers to cause DoS via a maliciously crafted GIF file. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000229 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16938 https://sourceforge.net/p/optipng/bugs/65/ https://sourceforge.net/p/optipng/bugs/69/ Updated packages in core/updates: optipng-0.7.6-1.1.mga5 optipng-0.7.6-1.1.mga6 Source RPMs: optipng-0.7.6-1.1.mga6.src.rpm Assignee:
dan =>
qa-bugs System MGA5::x86_64 (vmware) Unpatched: $ optipng CVE-2017-16938.gif ** Processing: CVE-2017-16938.gif Warning: Bogus data in GIF Warning: Pixel value out of range Error: Error reading file or unexpected end of file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. Unpatched: $ optipng CVE-2017-1000229.tiff ** Processing: CVE-2017-1000229.tiff Error: Out of memory ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. The firefox.png test showd a 3.92% decrease. Patched: $ optipng CVE-2017-16938.gif ** Processing: CVE-2017-16938.gif Warning: Bogus data in GIF Error: GIF/LZW error: circular table ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. Patched: $ optipng CVE-2017-1000229.tiff 1 ↵ ** Processing: CVE-2017-1000229.tiff Error: Out of memory ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. The firefox.png test shows a 3.92% decrease. Cheers, Stig CC:
(none) =>
smelror System MGA6::x86_64 (real hardware) Unpatched: $ optipng CVE-2017-16938.gif ** Processing: CVE-2017-16938.gif Warning: Bogus data in GIF Warning: Pixel value out of range Error: Error reading file or unexpected end of file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. Unpatched: $ optipng CVE-2017-1000229.tiff ** Processing: CVE-2017-1000229.tiff Error: Error reading TIFF file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. The firefox.png shows a 3.92% decrease. Patched: $ optipng CVE-2017-16938.gif ** Processing: CVE-2017-16938.gif Warning: Bogus data in GIF Error: GIF/LZW error: circular table ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. Patched: $ optipng CVE-2017-1000229.tiff ** Processing: CVE-2017-1000229.tiff Error: Error reading TIFF file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. The firefox.png test shows a 3.92% decrease. Cheers, Stig Thanks Stig. Adding the OKs on the basis of your reports in comments 4 and 5. Normally the tester would do this themselves unless the bug requires testing on a range of systems. CC:
(none) =>
tarazed25 System MGA6::i586 (vmware) Unpatched: $ optipng CVE-2017-16938.gif ** Processing: CVE-2017-16938.gif Warning: Bogus data in GIF Warning: Pixel value out of range Error: Error reading file or unexpected end of file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. Unpatched: $ optipng CVE-2017-1000229.tiff ** Processing: CVE-2017-1000229.tiff [1] 2335 segmentation fault (core dumped) optipng CVE-2017-1000229.tiff The firefox.png test shows a 3.92% decrease. Patched: $ optipng CVE-2017-16938.gif ** Processing: CVE-2017-16938.gif Warning: Bogus data in GIF Error: GIF/LZW error: circular table ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. Patched: $ optipng CVE-2017-1000229.tiff 1 ↵ ** Processing: CVE-2017-1000229.tiff Error: Out of memory ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. The firefox.png test shows a 3.92% decrease. Cheers, Stig System MGA5::i586 Unpatched: $ optipng CVE-2017-16938.gif ** Processing: CVE-2017-16938.gif Warning: Bogus data in GIF Warning: Pixel value out of range Error: Error reading file or unexpected end of file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. Unpatched: $ optipng CVE-2017-16938.gif ** Processing: CVE-2017-16938.gif Warning: Bogus data in GIF Warning: Pixel value out of range Error: Error reading file or unexpected end of file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. [stig@localhost optipng]$ optipng CVE-2017-1000229.tiff ** Processing: CVE-2017-1000229.tiff Segmentation fault The firefox.png test shows a 3.92% decrease. Patched: $ optipng CVE-2017-16938.gif ** Processing: CVE-2017-16938.gif Warning: Bogus data in GIF Error: GIF/LZW error: circular table ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. Patched: $ optipng CVE-2017-16938.gif ** Processing: CVE-2017-16938.gif Warning: Bogus data in GIF Error: GIF/LZW error: circular table ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. [stig@localhost optipng]$ optipng CVE-2017-1000229.tiff ** Processing: CVE-2017-1000229.tiff Error: Out of memory ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. The firefox.png test shows a 3.92% decrease. Cheers, Stig The last test was done in vmware. Stig-Ørjan couldn't have tested the update candidate, since the build system *just* uploaded it (it was broken). Version:
Cauldron =>
6 (In reply to David Walser from comment #10) > Stig-Ørjan couldn't have tested the update candidate, since the build system > *just* uploaded it (it was broken). Thanks for the pointer. I downloaded from mgarepo, compiled and did the tests thinking it was the same. Will do the tests again when the package has been uploaded to my local repo. Cheers, Stig I'll try again. System MGA6::x86_64 (real hardware) $ rpm -qa | grep optipng optipng-0.7.6-1.1.mga6 Patched: $ optipng CVE-2017-16938.gif ** Processing: CVE-2017-16938.gif Warning: Bogus data in GIF Error: GIF/LZW error: circular table ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. Patched: $ optipng CVE-2017-1000229.tiff 1 ↵ ** Processing: CVE-2017-1000229.tiff Error: Error reading TIFF file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. The firefox.png test shows a 3.92% decrease. Cheers, Stig System MGA6::i586 (vmware) $ rpm -qa | grep optipng 1 ↵ optipng-0.7.6-1.1.mga6 Patched: $ optipng CVE-2017-16938.gif ** Processing: CVE-2017-16938.gif Warning: Bogus data in GIF Error: GIF/LZW error: circular table ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. Patched: $ optipng CVE-2017-1000229.tiff ** Processing: CVE-2017-1000229.tiff Error: Out of memory ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. The firefox.png test shows a 3.92% decrease. Cheers, Stig System MGA5::x86_64 (vmware) $ rpm -qa | grep optipng optipng-0.7.6-1.mga5 Patched: $ optipng CVE-2017-16938.gif ** Processing: CVE-2017-16938.gif Warning: Bogus data in GIF Warning: Pixel value out of range Error: Error reading file or unexpected end of file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. Patched: $ optipng CVE-2017-1000229.tiff ** Processing: CVE-2017-1000229.tiff Error: Out of memory ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. The firefox.png test shows a 3.92% decrease. Cheers, Stig System MGA5::i586 (vmware) $ rpm -qa | grep optipng optipng-0.7.6-1.1.mga5 Patched: $ optipng CVE-2017-16938.gif ** Processing: CVE-2017-16938.gif Warning: Bogus data in GIF Error: GIF/LZW error: circular table ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. Patched: $ optipng CVE-2017-1000229.tiff ** Processing: CVE-2017-1000229.tiff Error: Out of memory ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. The firefox.png test shows a 3.92% decrease. Cheers, Stig (In reply to Stig-Ørjan Smelror from comment #14) > System MGA5::x86_64 (vmware) > > $ rpm -qa | grep optipng > optipng-0.7.6-1.mga5 > > Patched: > $ optipng CVE-2017-16938.gif > ** Processing: CVE-2017-16938.gif > Warning: Bogus data in GIF > Warning: Pixel value out of range > Error: Error reading file or unexpected end of file > > ** Status report > 1 file(s) have been processed. > 1 error(s) have been encountered. > > Patched: > $ optipng CVE-2017-1000229.tiff > ** Processing: CVE-2017-1000229.tiff > Error: Out of memory > > ** Status report > 1 file(s) have been processed. > 1 error(s) have been encountered. > > The firefox.png test shows a 3.92% decrease. > > Cheers, > Stig This one is invalid as it is the old package. Will redo now. Cheers, Stig System MGA5::x86_64 (vmware) $ rpm -qa | grep optipng optipng-0.7.6-1.1.mga5 Patched: $ optipng CVE-2017-16938.gif ** Processing: CVE-2017-16938.gif Warning: Bogus data in GIF Error: GIF/LZW error: circular table ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. Patched: $ optipng CVE-2017-1000229.tiff ** Processing: CVE-2017-1000229.tiff Error: Out of memory ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. The firefox.png test shows a 3.92% decrease. Cheers, Stig
Stig-Ørjan Smelror
2017-12-07 21:49:27 CET
Whiteboard:
MGA5TOO has_procedure =>
MGA5TOO has_procedure MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK
Stig-Ørjan Smelror
2017-12-07 21:52:19 CET
CC:
(none) =>
sysadmin-bugs
Dave Hodgins
2017-12-10 21:18:24 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0447.html Resolution:
(none) =>
FIXED *** Bug 23563 has been marked as a duplicate of this bug. *** |
