Fedora has issued an advisory today (November 14): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IBHVG5LDE2K3FZSIK4XFXOUXSE7NZ5JH/ Mageia 8 and 9 are also affected.
For Cauldron, the problem is already solved.
Version: Cauldron => 9Whiteboard: (none) => MGA8TOO
CC: (none) => nicolas.salgueroSource RPM: (none) => optipng-0.7.7-3.mga9.src.rpmStatus comment: (none) => Fixed upstream in 0.7.8
Assigning to our registered optipng maintainer
Assignee: bugsquad => danCC: (none) => marja11
Besides the CVE fix, the changelog for 0.7.8 lists no new features but only bug fixes and architectural improvements in this version. The updated minimal dependencies are still satisfied in mga8 and mga9. I'm therefore going to perform a version upgrade rather than backport this specific CVE fix.
Status: NEW => ASSIGNED
The following RPMs are available in updates_testing: mga9: optipng-0.7.8-1.mga9.x86_64.rpm optipng-0.7.8-1.mga9.i586.rpm optipng-0.7.8-1.mga9.armv7hl.rpm optipng-0.7.8-1.mga9.aarch64.rpm I messed up the mga8 build so those will be upcoming.
CVE: (none) => CVE-2023-43907
QA test: 1. cd /tmp 2. curl -ORL https://github.com/Frank-Z7/z-vulnerabilitys/raw/main/POCoptipng 3. optipng -o4 POCoptipng -zm 3 -zc 1 -zw 256 -snip -out optipngtest.png The patched optipng will say amongst its output: Error: Malformed GIF (CVE-2023-43907) The unpatched one shows an error but doesn't show that CVE number.
Whiteboard: MGA8TOO => MGA8TOO has_procedure
Proposed security advisory text: ======================== Updated the optipng package to fix a security vulnerability (CVE-2023-43907) and other bugs. The GIF handler was vulnerable to a global buffer overflow. References: https://sourceforge.net/p/optipng/bugs/87/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43907 https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/optipng-global-buffer-overflow1/optipng-global-buffer-overflow1.md mga9: optipng-0.7.8-1.mga9.x86_64.rpm optipng-0.7.8-1.mga9.i586.rpm optipng-0.7.8-1.mga9.armv7hl.rpm optipng-0.7.8-1.mga9.aarch64.rpm mga8: optipng-0.7.8-1.mga8.x86_64.rpm optipng-0.7.8-1.mga8.i586.rpm optipng-0.7.8-1.mga8.armv7hl.rpm optipng-0.7.8-1.mga8.aarch64.rpm source: optipng-0.7.8-1.mga9.src.rpm optipng-0.7.8-1.mga8.src.rpm
Going by the changelog mails, release is higher for Mageia 8 than for Mageia 9: optipng-0.7.8-2.mga8 optipng-0.7.8-1.mga9
That's the goof-up I mentioned in comment #4. I've asked the sysadmins to delete it so I can rebuild it with the right release.
(In reply to Dan Fandrich from comment #8) > That's the goof-up I mentioned in comment #4. I've asked the sysadmins to > delete it so I can rebuild it with the right release. Sorry, I had missed that. Wouldn't bumping mga9 release fix this problem, too? (Our sysadmins are rather overloaded, as you well know. I hope you'll have time and energy to join their meeting, even if you didn't partake in the framadate poll)
That's true. It means both Cauldron and mga9 but I'll do that if nothing happens by tomorrow. I finally remembered to fill out the poll this morning, and I should be able to attend.
mga9-64 OK here Confirming test of comment 5 and also test OK to compress a local png file: Did compress, Result OK, opens with Okular.
Whiteboard: MGA8TOO has_procedure => MGA8TOO, MGA9-64-OKCC: (none) => fri
Keywords: (none) => has_procedure
I had to bump the release number and rebuild the mga9 binaries. Nothing was changed except the release number so the packages should be otherwise identical to optipng-0.7.8-1.mga9. The mga8 binaries are now also ready. Ignore the binaries listed in comments #4 and #6 and use this list instead: mga9: optipng-0.7.8-2.mga9.x86_64.rpm optipng-0.7.8-2.mga9.i586.rpm optipng-0.7.8-2.mga9.armv7hl.rpm optipng-0.7.8-2.mga9.aarch64.rpm mga8: optipng-0.7.8-2.mga8.x86_64.rpm optipng-0.7.8-2.mga8.i586.rpm optipng-0.7.8-2.mga8.armv7hl.rpm optipng-0.7.8-2.mga8.aarch64.rpm source: optipng-0.7.8-2.mga9.src.rpm optipng-0.7.8-2.mga8.src.rpm
Assignee: dan => qa-bugs
Advisory from comment 6 with the SRPMs from comment 12 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisory
Tested on Real Hardware with Mageia 9 x86_64 lxqt Install current version Download POC file optipng POCoptipng ** Processing: POCoptipng Warning: Bogus data in GIF file Error: Unexpected end of GIF file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. Update to testing version without issue optipng POCoptipng ** Processing: POCoptipng Warning: Bogus data in GIF file Error: Malformed GIF (CVE-2023-43907) ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. Is this the expected behavior?
Installed and tested without issues. Tested with lots of images and with the PoC image. System: Mageia 8, x86_64, AMD Ryzen 5 5600G with Radeon Graphics. $ curl -sORL https://github.com/Frank-Z7/z-vulnerabilitys/raw/main/POCoptipng $ # BEFORE UPDATE $ optipng -o4 POCoptipng -zm 3 -zc 1 -zw 256 -snip -out optipngtest.png ** Processing: POCoptipng Warning: Bogus data in GIF file Error: Unexpected end of GIF file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. $ # AFTER UPDATE $ optipng -o4 POCoptipng -zm 3 -zc 1 -zw 256 -snip -out optipngtest.png ** Processing: POCoptipng Warning: Bogus data in GIF file Error: Malformed GIF (CVE-2023-43907) ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. $ uname -a Linux jupiter 6.1.45-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Fri Aug 11 22:01:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q optipng optipng-0.7.8-2.mga8
Whiteboard: MGA8TOO, MGA9-64-OK => MGA8TOO, MGA9-64-OK, MGA8-64-OKCC: (none) => mageia
(In reply to katnatek from comment #14) > 1 error(s) have been encountered. > > Is this the expected behavior? I understand it like that. From Comment 5: "The unpatched one shows an error but doesn't show that CVE number." Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0333.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED