optipng: CVE-2017-1000229: Integer Overflow Bug while parsing TIFF input file

Debian Bug report logs - #882032
optipng: CVE-2017-1000229: Integer Overflow Bug while parsing TIFF input file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: optipng: CVE-2017-1000229: Integer Overflow Bug while parsing TIFF input file

Date: Fri, 17 Nov 2017 20:17:07 +0100

Source: optipng
Version: 0.7.6-1
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/optipng/bugs/65/

Hi,

the following vulnerability was published for optipng.

CVE-2017-1000229[0]:
| Integer overflow bug in function minitiff_read_info() of optipng 0.7.6
| allows an attacker to remotely execute code or cause denial of
| service.

With the poc.tiff on upstream bug:

==9473== Memcheck, a memory error detector
==9473== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==9473== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==9473== Command: optipng poc.tiff
==9473== 
** Processing: poc.tiff
==9473== Invalid write of size 4
==9473==    at 0x109C53: read_ulong_values (tiffread.c:131)
==9473==    by 0x117504: minitiff_read_info (tiffread.c:358)
==9473==    by 0x114B07: pngx_read_tiff (pngxrtif.c:85)
==9473==    by 0x11272C: pngx_read_image (pngxread.c:130)
==9473==    by 0x10CABF: opng_read_file (optim.c:939)
==9473==    by 0x10DE99: opng_optimize_impl (optim.c:1503)
==9473==    by 0x10EC28: opng_optimize (optim.c:1853)
==9473==    by 0x10A30E: process_files (optipng.c:941)
==9473==    by 0x10A30E: main (optipng.c:975)
==9473==  Address 0x4aa56cc is 0 bytes after a block of size 4 alloc'd
==9473==    at 0x482E2BC: malloc (vg_replace_malloc.c:299)
==9473==    by 0x1174CA: minitiff_read_info (tiffread.c:353)
==9473==    by 0x114B07: pngx_read_tiff (pngxrtif.c:85)
==9473==    by 0x11272C: pngx_read_image (pngxread.c:130)
==9473==    by 0x10CABF: opng_read_file (optim.c:939)
==9473==    by 0x10DE99: opng_optimize_impl (optim.c:1503)
==9473==    by 0x10EC28: opng_optimize (optim.c:1853)
==9473==    by 0x10A30E: process_files (optipng.c:941)
==9473==    by 0x10A30E: main (optipng.c:975)
==9473== 
Error: Error reading TIFF file

** Status report
1 file(s) have been processed.
1 error(s) have been encountered.
==9473== 
==9473== HEAP SUMMARY:
==9473==     in use at exit: 4 bytes in 1 blocks
==9473==   total heap usage: 5 allocs, 4 frees, 5,600 bytes allocated
==9473== 
==9473== LEAK SUMMARY:
==9473==    definitely lost: 4 bytes in 1 blocks
==9473==    indirectly lost: 0 bytes in 0 blocks
==9473==      possibly lost: 0 bytes in 0 blocks
==9473==    still reachable: 0 bytes in 0 blocks
==9473==         suppressed: 0 bytes in 0 blocks
==9473== Rerun with --leak-check=full to see details of leaked memory
==9473== 
==9473== For counts of detected and suppressed errors, rerun with: -v
==9473== ERROR SUMMARY: 262143 errors from 1 contexts (suppressed: 0 from 0)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-1000229
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000229

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #14 received at 882032@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 882032@bugs.debian.org

Subject: Re: optipng: CVE-2017-1000229: Integer Overflow Bug while parsing TIFF input file

Date: Sun, 19 Nov 2017 17:21:06 +0100

[Message part 1 (text/plain, inline)]

Control: tags -1 fixed-upstream patch

Hi,

someone has prepared a patch candidate for review at

https://sourceforge.net/p/optipng/bugs/65/

It looks like it will prevent the integer overflow.

I'm attaching the patch for your convenience.

Regards,

Markus

[0001-Prevent-integer-overflow-bug-65-CVE-2017-1000229.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #25 received at 882032@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 878839@bugs.debian.org, 882032@bugs.debian.org

Subject: optipng: diff for NMU version 0.7.6-1.1

Date: Thu, 7 Dec 2017 21:27:45 +0100

[Message part 1 (text/plain, inline)]

Control: tags 878839 + patch
Control: tags 878839 + pending
Control: tags 882032 + pending

Dear maintainer,

I've prepared an NMU for optipng (versioned as 0.7.6-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[optipng-0.7.6-1.1-nmu.diff (text/x-diff, attachment)]

Message #30 received at 882032@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Emmanuel Bouthenot <kolter@openics.org>

Cc: 878839@bugs.debian.org, 882032@bugs.debian.org

Subject: optipng: moved to delayed/0

Date: Fri, 8 Dec 2017 17:16:56 +0100

Hi Emmanuel

I perfectly realize it's not conforming to the NMU rules, so if that
made you unhappy I apologies for it. I moved the optipng upload from
delayed/5 to delayed/0 since was planing a security update, and the
point release happening this weekend would imply stretch-version <
sid-version. So opted for moving the upload faster.

Regards,
Salvatore

Message #35 received at 882032-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 882032-close@bugs.debian.org

Subject: Bug#882032: fixed in optipng 0.7.6-1.1

Date: Fri, 08 Dec 2017 16:49:16 +0000

Source: optipng
Source-Version: 0.7.6-1.1

We believe that the bug you reported is fixed in the latest version of
optipng, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 882032@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated optipng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 07 Dec 2017 20:43:29 +0100
Source: optipng
Binary: optipng
Architecture: source
Version: 0.7.6-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 878839 882032
Description: 
 optipng    - advanced PNG (Portable Network Graphics) optimizer
Changes:
 optipng (0.7.6-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Prevent integer overflow in minitiff_read_info() (CVE-2017-1000229)
     (Closes: #882032)
   * gifread: Detect indirect circular dependencies in LZW tables
     (CVE-2017-16938) (Closes: #878839)
Checksums-Sha1: 
 dc1d3f19c6d2147ff532985d96244d4ef2ceb502 2163 optipng_0.7.6-1.1.dsc
 2a77c95caedb65768d82bbde91ae380acc3aaed3 5952 optipng_0.7.6-1.1.debian.tar.bz2
Checksums-Sha256: 
 1070de5feb0c9862d0c3a5e01ce8669d005a9eebddd95717cc78e8cdb99aeac5 2163 optipng_0.7.6-1.1.dsc
 eef445316b92630920839a0f7249f1a041bafaa95e18c3188eabb84f41d52851 5952 optipng_0.7.6-1.1.debian.tar.bz2
Files: 
 73c0d43aa7a1958dcab983509e970ced 2163 graphics optional optipng_0.7.6-1.1.dsc
 36ea296847cf7de6c70ba4675f52f6b7 5952 graphics optional optipng_0.7.6-1.1.debian.tar.bz2

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlopnpFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ei0EP/jdwO0bMCmWjJ5quu2OhcN0KNzPNWdSa
LrrkOgS4VffML7aFO2iZD9XMM41KkpVxvAJQFoZ5yvxVQr7LFmzyzS4yDhYzM5JW
UxEaMMtY9ZiTkCBqyYsaX5GefeYtM7xtbnUcXFSH5tSJEPRXhsR2pWXZLlWYQ2yp
qAkXX0gAOkBesNIVkBrGBGAhVyr9lQaaczQrabAl/bC7Btk7bsh8vuhRfZvqUqpT
wUJ3j6d3iOLYCpQctZDP1W02TAU8z08Ql4bSuAHuByt5dLjW4jN3cb8UbaI5EAKG
/oh+NjDSQXMLX9AsAeN4rFnGluPg4uniuT5LBvRJ+swhzFItFXiDZa6zwmbi9vA2
mAQGoQO6u4Et3ZsW85BzNajmZxjajdr0PD4uVQmUxuS0n8gDe5KMv/Lm9kUevt5r
Pu9DmmTwx6FzaAYYDmo2mPO4Q3ig3n1JKUELrbHr8Q+I2wGMc3yYZSfCsnquKV0h
u68p8vX/6wAL3Bcvr6ww3hclr+Sf1k3BoiIdD/EBibyqafCCnrfteFOznq2eXQUR
j/J80YUeP3rus6v+GmYpoIuZGntfzSCO/TjV//ja1MJqJDiQJCIqynU4zw2DMebC
fc7cMaUPTyvkcB9LV1JbuAko/mASVD7leYWP4lm3VmLev7Gokxm3cVaxg9AGughy
G3WV+H6e+oLo
=WRGJ
-----END PGP SIGNATURE-----

Message #40 received at 882032-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 882032-close@bugs.debian.org

Subject: Bug#882032: fixed in optipng 0.7.6-1+deb9u1

Date: Sat, 09 Dec 2017 12:03:01 +0000

Source: optipng
Source-Version: 0.7.6-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
optipng, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 882032@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated optipng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 07 Dec 2017 21:42:04 +0100
Source: optipng
Binary: optipng
Architecture: source
Version: 0.7.6-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 878839 882032
Description: 
 optipng    - advanced PNG (Portable Network Graphics) optimizer
Changes:
 optipng (0.7.6-1+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Prevent integer overflow in minitiff_read_info() (CVE-2017-1000229)
     (Closes: #882032)
   * gifread: Detect indirect circular dependencies in LZW tables
     (CVE-2017-16938) (Closes: #878839)
Checksums-Sha1: 
 9f1dc801a97f22f995446910d6fac6573da854de 2183 optipng_0.7.6-1+deb9u1.dsc
 abc480543b85d227db4a84be80ae2dd8a8e53a66 200670 optipng_0.7.6.orig.tar.gz
 2ea608a8c694116b801b98268b90c664e6c0361c 5976 optipng_0.7.6-1+deb9u1.debian.tar.bz2
Checksums-Sha256: 
 e283b8af9c96d29fda091b9bc383e3f91c33424698da3e0ca060c4fa3486babc 2183 optipng_0.7.6-1+deb9u1.dsc
 cd7eccd51f15c789e61041b3e03260e2886e74a274c9a6513a1f6db6cce07dc8 200670 optipng_0.7.6.orig.tar.gz
 79c6b09880fe5c2d72f261caac08f297abf2ca267024f2db00316e63eaf83bed 5976 optipng_0.7.6-1+deb9u1.debian.tar.bz2
Files: 
 952cd81e91d3f9ff2d80af1d6bfa3453 2183 graphics optional optipng_0.7.6-1+deb9u1.dsc
 c36836166ec3b6a12a75600fdb73e6ce 200670 graphics optional optipng_0.7.6.orig.tar.gz
 c8c3f9d47a9a0c885d2c9786c83f8ae5 5976 graphics optional optipng_0.7.6-1+deb9u1.debian.tar.bz2

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlopqC9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EiWEP/1ldAZiQVcD/F9w2pcFttzbHmF5o5V+R
i+rIh4xHKiepOGxGvBj/Rp0vZJQUHNo/bQuirtBO3drZ+G5QhatFBFEhgiuUpp1Q
1kd8c7wnWCMVq7lza0zacWX6KONABbYOLmO3FLFPjv02HfpCcduP5rV+6U9UgJfB
UZWy4+1/k1TnKGmLxU0aN6q41yVFqa6ci8w4qYeJ09oPcE4Cap3ZV1xP7gMFVggf
nOUJfRyejDHzeg6AUupMv/7VRR3I4s0qg5m5cPUGR0o3IUOc6hUZFrExHIEXckZD
YiXy9/RbEkC7LiaicMRKxEHn6TTB/ftWX+G5xwcajV4wKYvBGikLHd8Jwz5++dBK
aeg0fKh+9O1T05Hsc1GxBFD8crAdtIDa3jhSaiVBeqDseBIrNFlZJmcjq1ua2DKe
8wcWtlNucTbF1PSH4LsHr9vPeZwyor5FZdFEdL9rSiBaGso5hRAoYqt04R0HbrwV
CHn32Q7CA91dAIgrutwbnTUalZjh61Oab5lO3ZOmTDo3jPZyiE/lkzbSt+bpAiKx
pe58/aBWILOKuVzehfxpA69bp002QtNAkGOesCj8suqc2AP4C7WxEczgNsjePYvA
qRBVTsKJxw2KMjuoBSzwffAVx7OVQ+zlY57tT1SMw/t108nSEpbe9rdotQZlJ8uF
5Xpl657y9aIY
=RNAL
-----END PGP SIGNATURE-----

Message #45 received at 882032-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 882032-close@bugs.debian.org

Subject: Bug#882032: fixed in optipng 0.7.5-1+deb8u2

Date: Sat, 09 Dec 2017 14:38:32 +0000

Source: optipng
Source-Version: 0.7.5-1+deb8u2

We believe that the bug you reported is fixed in the latest version of
optipng, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 882032@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated optipng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 07 Dec 2017 21:47:21 +0100
Source: optipng
Binary: optipng
Architecture: source
Version: 0.7.5-1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 878839 882032
Description: 
 optipng    - advanced PNG (Portable Network Graphics) optimizer
Changes:
 optipng (0.7.5-1+deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Prevent integer overflow in minitiff_read_info() (CVE-2017-1000229)
     (Closes: #882032)
   * gifread: Detect indirect circular dependencies in LZW tables
     (CVE-2017-16938) (Closes: #878839)
Checksums-Sha1: 
 50bee18cfab0bda33d1b5ffb7717fb9c27c1199c 2182 optipng_0.7.5-1+deb8u2.dsc
 3d06666b97ceebb1e21d5f3bf3293b05e5b91b50 6632 optipng_0.7.5-1+deb8u2.debian.tar.bz2
Checksums-Sha256: 
 5a4487aef6ffd16d4f0827fe88c8b2fcafa1dcc6a2c6b53eda62e5bea4f5a025 2182 optipng_0.7.5-1+deb8u2.dsc
 1fe95d163db418b457c6fdf68e705fc7651b8898459f9c86ac4e452ac88da3b4 6632 optipng_0.7.5-1+deb8u2.debian.tar.bz2
Files: 
 48e2b62cc60888311692fa2aa160a39d 2182 graphics optional optipng_0.7.5-1+deb8u2.dsc
 3b090bb10709b155af4d3a00f66030ef 6632 graphics optional optipng_0.7.5-1+deb8u2.debian.tar.bz2

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlopqUlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EaBUP/2IVR5FJRQ0u6M31jfUzfSL9Ajw3EAO6
o8OdNtfLTzNK7D1sPG+zSw5nx2iRNMjMIwA2IGFte4InNYAlniEbsDvYkPSomzyP
53jgbjjHY7Ylt1rUvdxFYl361GtQcGq3jfkFPdQUN0dKsHhtfhrMYwCndN4JuYEG
wPXby33841gMDUnnUDsQdpR1fnE6sw7jfk/jylLrmF7Pzn4VMeeiJFL8RSa76i9X
vcfVjWlgHtgd6yauacpxGCIBriiApZWEXIVx9iYBMwqz0rfgykU2TXFnThREI4Wj
Ofpat9h4+xG4+WK12kxPIeUQvrRcI7f3FPi9tHodXyXfHkauX/0iff8178f+s+BW
Xlahy5P8kM/WBFkuCrBRhodAr9MoRt5e5uJqMB1V6n5s39wZiJZhtgBIGqtm0cNj
59fSeq7jHtDXWjI369DTP6JVUgfM9qu/y/6LN5R/KxD3RBPLHfjSOUzHCgI1uSyf
aJxZ1suOC48llX+1gEZWSj0oh8GC9jyD8eVyixpaN3f0ngkNFqim/SssMnmlCZY3
uYcfUxRDfqCuZFoOOe8IodwUASnICYhLp7aG3oY1ZVaDRb1igdyyf49naxt2Rmep
YqX9aSr9xNTSM1zjsLPGMY5JeDhZqhjoPbWW8JBVrmRb+Z6oTBYw7B+v0ZTSw2p5
hr2jZoPRRBgE
=DX9g
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.