Bug 32520

For Cauldron, the problem is already solved.

Version: Cauldron => 9
Whiteboard: (none) => MGA8TOO

Assigning to our registered optipng maintainer

Assignee: bugsquad => dan
CC: (none) => marja11

Besides the CVE fix, the changelog for 0.7.8 lists no new features but only bug fixes and architectural improvements in this version. The updated minimal dependencies are still satisfied in mga8 and mga9. I'm therefore going to perform a version upgrade rather than backport this specific CVE fix.

Status: NEW => ASSIGNED

The following RPMs are available in updates_testing:

mga9:
optipng-0.7.8-1.mga9.x86_64.rpm
optipng-0.7.8-1.mga9.i586.rpm
optipng-0.7.8-1.mga9.armv7hl.rpm
optipng-0.7.8-1.mga9.aarch64.rpm

I messed up the mga8 build so those will be upcoming.

CVE: (none) => CVE-2023-43907

QA test:

1. cd /tmp
2. curl -ORL https://github.com/Frank-Z7/z-vulnerabilitys/raw/main/POCoptipng
3. optipng -o4 POCoptipng -zm 3 -zc 1 -zw 256 -snip -out optipngtest.png

The patched optipng will say amongst its output:

Error: Malformed GIF (CVE-2023-43907)

The unpatched one shows an error but doesn't show that CVE number.

Whiteboard: MGA8TOO => MGA8TOO has_procedure

Proposed security advisory text:

========================
Updated the optipng package to fix a security vulnerability (CVE-2023-43907) and other bugs. The GIF handler was vulnerable to a global buffer overflow.

References:
https://sourceforge.net/p/optipng/bugs/87/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43907
https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/optipng-global-buffer-overflow1/optipng-global-buffer-overflow1.md

mga9:
optipng-0.7.8-1.mga9.x86_64.rpm
optipng-0.7.8-1.mga9.i586.rpm
optipng-0.7.8-1.mga9.armv7hl.rpm
optipng-0.7.8-1.mga9.aarch64.rpm

mga8:
optipng-0.7.8-1.mga8.x86_64.rpm
optipng-0.7.8-1.mga8.i586.rpm
optipng-0.7.8-1.mga8.armv7hl.rpm
optipng-0.7.8-1.mga8.aarch64.rpm

source:
optipng-0.7.8-1.mga9.src.rpm
optipng-0.7.8-1.mga8.src.rpm

Going by the changelog mails, release is higher for Mageia 8 than for Mageia 9:

optipng-0.7.8-2.mga8
optipng-0.7.8-1.mga9

That's the goof-up I mentioned in comment #4. I've asked the sysadmins to delete it so I can rebuild it with the right release.

(In reply to Dan Fandrich from comment #8)
> That's the goof-up I mentioned in comment #4. I've asked the sysadmins to
> delete it so I can rebuild it with the right release.

Sorry, I had missed that.

Wouldn't bumping mga9 release fix this problem, too? (Our sysadmins are rather overloaded, as you well know. I hope you'll have time and energy to join their meeting, even if you didn't partake in the framadate poll)

That's true. It means both Cauldron and mga9 but I'll do that if nothing happens by tomorrow.

I finally remembered to fill out the poll this morning, and I should be able to attend.

mga9-64 OK here
Confirming test of comment 5 and also test OK to compress a local png file:
Did compress, Result OK, opens with Okular.

Whiteboard: MGA8TOO has_procedure => MGA8TOO, MGA9-64-OK
CC: (none) => fri

I had to bump the release number and rebuild the mga9 binaries. Nothing was changed except the release number so the packages should be otherwise identical to optipng-0.7.8-1.mga9. The mga8 binaries are now also ready.

Ignore the binaries listed in comments #4 and #6 and use this list instead:

mga9:
optipng-0.7.8-2.mga9.x86_64.rpm
optipng-0.7.8-2.mga9.i586.rpm
optipng-0.7.8-2.mga9.armv7hl.rpm
optipng-0.7.8-2.mga9.aarch64.rpm

mga8:
optipng-0.7.8-2.mga8.x86_64.rpm
optipng-0.7.8-2.mga8.i586.rpm
optipng-0.7.8-2.mga8.armv7hl.rpm
optipng-0.7.8-2.mga8.aarch64.rpm

source:
optipng-0.7.8-2.mga9.src.rpm
optipng-0.7.8-2.mga8.src.rpm

Assignee: dan => qa-bugs

Advisory from comment 6 with the SRPMs from comment 12 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Tested on Real Hardware with Mageia 9 x86_64 lxqt

Install current version
Download POC file

 optipng POCoptipng
** Processing: POCoptipng
Warning: Bogus data in GIF file
Error: Unexpected end of GIF file

** Status report
1 file(s) have been processed.
1 error(s) have been encountered.

Update to testing version without issue

optipng POCoptipng
** Processing: POCoptipng
Warning: Bogus data in GIF file
Error: Malformed GIF (CVE-2023-43907)

** Status report
1 file(s) have been processed.
1 error(s) have been encountered.

Is this the expected behavior?

Installed and tested without issues.

Tested with lots of images and with the PoC image.

System: Mageia 8, x86_64, AMD Ryzen 5 5600G with Radeon Graphics.

$ curl -sORL https://github.com/Frank-Z7/z-vulnerabilitys/raw/main/POCoptipng

$ # BEFORE UPDATE
$ optipng -o4 POCoptipng -zm 3 -zc 1 -zw 256 -snip -out optipngtest.png
** Processing: POCoptipng
Warning: Bogus data in GIF file
Error: Unexpected end of GIF file

** Status report
1 file(s) have been processed.
1 error(s) have been encountered.

$ # AFTER UPDATE
$ optipng -o4 POCoptipng -zm 3 -zc 1 -zw 256 -snip -out optipngtest.png
** Processing: POCoptipng
Warning: Bogus data in GIF file
Error: Malformed GIF (CVE-2023-43907)

** Status report
1 file(s) have been processed.
1 error(s) have been encountered.



$ uname -a
Linux jupiter 6.1.45-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Fri Aug 11 22:01:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q optipng
optipng-0.7.8-2.mga8

Whiteboard: MGA8TOO, MGA9-64-OK => MGA8TOO, MGA9-64-OK, MGA8-64-OK
CC: (none) => mageia

(In reply to katnatek from comment #14)
> 1 error(s) have been encountered.
> 
> Is this the expected behavior?

I understand it like that. From Comment 5:
"The unpatched one shows an error but doesn't show that CVE number."

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0333.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED