A CVE has been assigned for a security issue in optipng 0.7.5: http://openwall.com/lists/oss-security/2015/10/10/2 Upstream has been notified, but I don't believe a fix is available yet. A PoC is attached to the initial report: http://seclists.org/oss-sec/2015/q3/632 Mageia 5 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
According to https://sourceforge.net/p/optipng/bugs/53/, this isn't actually a security issue. I've submitted the patch there to Cauldron, but it doesn't appear that a release to mga5 is warranted.
Looks like only Debian-LTS issued an update for the equivalent issue in 0.6.4: http://lwn.net/Vulnerabilities/661902/ I guess we could just check the patch into Mageia 5 SVN just in case there are any future issues.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Done.
Another security issue in optipng has been announced today (April 4): http://openwall.com/lists/oss-security/2016/04/04/2 I don't know for sure if it affects 0.6.4, but there is information about the security vulnerability in the code and reproducer information available in the message linked above. The issue is fixed upstream in 0.7.6, which I just uploaded for Cauldron.
Summary: optipng new security issue CVE-2015-7802 => optipng new security issues CVE-2015-7802 and CVE-2016-2191
URL: (none) => http://lwn.net/Vulnerabilities/682567/
The 0.7.6 changelog lists only bug fixes from 0.7.5 (the version we have in mga5) so I'm going to bump the version there to fix this. Here's a test: (curl http://openwall.com/lists/oss-security/2016/04/04/2 | sed -n -e '1,/^oob\.bmp/d' -e 's/^| //p' ; echo -e '#include <stdio.h>\nmain(){fwrite(bmp,sizeof(bmp),1,fopen("CVE-2016-2191.bmp","w"));}') > CVE-2016-2191.c # Manually check the file CVE-2016-2191.c for sanity here, since the source # code has been transferred over an unauthenticated connection gcc -o CVE-2016-2191 CVE-2016-2191.c ./CVE-2016-2191 optipng CVE-2016-2191.bmp A susceptible optipng will segfault and print the "Segmentation fault". A fixed optipng will print a bunch of stuff and end with "Output file size = 84 bytesâ¦"
Status: NEW => ASSIGNED
Created attachment 7641 [details] Test image to verify CVE-2016-2191 http://openwall.com/lists/oss-security/2016/04/04/2
An update candidate optipng-0.7.6 is now available in updates_testing. Here's a simpler test procedure. Download attachment 7641 [details] and run: optipng CVE-2016-2191.bmp Verification is as in comment #5 (i.e. should not segfault). Advisory: ======================== An updated optipng package fixes a number of bugs and security vulnerabilities. CVE-2015-7802 - Buffer over-read issue CVE-2016-2191 - An invalid write and segmentation fault may occur while processing bitmap images References: https://sourceforge.net/p/optipng/bugs/53/ http://openwall.com/lists/oss-security/2016/04/04/2 http://optipng.sourceforge.net/history.txt Updated packages in core/updates_testing: ======================== optipng-0.7.6-1.mga5 from optipng-0.7.6-1.mga5.src.rpm
Assignee: dan => qa-bugs
Tested this on x86_64 machine. Before the update optipng segfaulted on the test file. After update: $ optipng CVE-2016-2191.bmp ** Processing: CVE-2016-2191.bmp Importing BMP 1x2086 pixels, 4 bits/pixel, grayscale Input file size = 164 bytes Trying: zc = 9 zm = 8 zs = 0 f = 0 IDAT size = 27 zc = 9 zm = 8 zs = 1 f = 0 IDAT size = 27 zc = 9 zm = 8 zs = 3 f = 0 IDAT size = 27 zc = 9 zm = 8 zs = 0 f = 5 IDAT size = 27 zc = 9 zm = 8 zs = 1 f = 5 IDAT size = 27 zc = 9 zm = 8 zs = 3 f = 5 IDAT size = 27 Selecting parameters: zc = 9 zm = 8 zs = 3 f = 0 IDAT size = 27 Output file: CVE-2016-2191.png Output IDAT size = 27 bytes Output file size = 84 bytes (80 bytes = 48.78% decrease) $ ls -l *.png -rw-r--r-- 1 lcl lcl 84 Apr 11 18:55 CVE-2016-2191.png In eom it displayed as a black image measuring 1x2086.
CC: (none) => tarazed25
Whiteboard: (none) => has_procedure MGA5-64-OK
Ran this in a 32-bit virtualbox and confirmed the before and after behaviour for the test image. Validating this.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
David, do you want to flesh out this advisory?
Advisory uploaded from comment 7.
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0135.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2015-7802: http://lwn.net/Vulnerabilities/683844/
CVE-2016-3981 CVE-2016-3982 also fixed in this update: http://lwn.net/Vulnerabilities/684236/