optipng: CVE-2016-2191: Invalid write while processing delta escapes without any boundary checking

Debian Bug report logs - #820068
optipng: CVE-2016-2191: Invalid write while processing delta escapes without any boundary checking

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: optipng: CVE-2016-2191: Invalid write while processing delta escapes without any boundary checking

Date: Tue, 05 Apr 2016 09:24:26 +0200

Source: optipng
Version: 0.6.4-1
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://sourceforge.net/p/optipng/bugs/59/

Hi,

the following vulnerability was published for optipng and is fixed
in 0.7.6 upstream.

CVE-2016-2191[0]:
Invalid write while processing delta escapes without any boundary checking

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-2191
[1] https://sourceforge.net/p/optipng/bugs/59/
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1308550

Regards,
Salvatore

Message #16 received at 820068@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 820068@bugs.debian.org

Subject: optipng: diff for NMU version 0.7.5-1.1

Date: Fri, 8 Apr 2016 07:19:35 +0200

[Message part 1 (text/plain, inline)]

Control: tags 820068 + patch
Control: tags 820068 + pending

Dear maintainer,

I've prepared an NMU for optipng (versioned as 0.7.5-1.1) and uploaded
it to DELAYED/2. Please feel free to tell me if I should delay it
longer. It is exactly the same patch as used by Moritz for the
jessie-security upload. Better would be though to straight go to 0.7.6.

Regards,
Salvatore

[optipng-0.7.5-1.1-nmu.diff (text/x-diff, attachment)]

Message #25 received at 820068@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 820068@bugs.debian.org

Subject: Re: Bug#820068: optipng: diff for NMU version 0.7.5-1.1

Date: Fri, 8 Apr 2016 20:43:35 +0200

Hi

The used patch took into account as well the fixed from upstream bugs
56 and 57, which correspond to CVE-2016-3981 and CVE-2016-3982. At the
time of writing those two CVEs were not yet assigned.

So once accepted into the archive, I will update as well the
information for those CVEs.

Regards,
Salvatore

Message #30 received at 820068@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bouthenot <kolter@openics.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 820068@bugs.debian.org

Subject: Re: [Pkg-phototools-devel] Bug#820068: optipng: diff for NMU version 0.7.5-1.1

Date: Fri, 8 Apr 2016 23:18:05 +0200

Salvatore,

On Fri, Apr 08, 2016 at 07:19:35AM +0200, Salvatore Bonaccorso wrote:
[...]

> jessie-security upload. Better would be though to straight go to 0.7.6.
Thanks for your various feedbacks.

optipng 0.7.6 will be uploaded into unstable in a few minutes.

Regards,

M.

-- 
Emmanuel Bouthenot
  mail: kolter@{openics,debian}.org    gpg: 4096R/0x929D42C3
  xmpp: kolter@im.openics.org          irc: kolter@{freenode,oftc}

Message #35 received at 820068-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bouthenot <kolter@debian.org>

To: 820068-close@bugs.debian.org

Subject: Bug#820068: fixed in optipng 0.7.6-1

Date: Fri, 08 Apr 2016 22:09:02 +0000

Source: optipng
Source-Version: 0.7.6-1

We believe that the bug you reported is fixed in the latest version of
optipng, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 820068@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bouthenot <kolter@debian.org> (supplier of updated optipng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 08 Apr 2016 23:13:38 +0200
Source: optipng
Binary: optipng
Architecture: source amd64
Version: 0.7.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Emmanuel Bouthenot <kolter@debian.org>
Description:
 optipng    - advanced PNG (Portable Network Graphics) optimizer
Closes: 801700 820068
Changes:
 optipng (0.7.6-1) unstable; urgency=medium
 .
   * New upstream release
     - fix CVE-2016-2191: Invalid write while processing delta escapes
       without any boundary checking (Closes: #820068)
     - fix CVE-2015-7802: Buffer overflow in global memory (Closes: #801700)
   * Enable hardening=+all build
   * Fix Vcs-(Git|Browser) fields to use secure URIs
   * Bump Standards-Version to 3.9.7
   * Add a patch to fix typo in manpage
Checksums-Sha1:
 b8ccd9319a7df84119bc9c28d623f6b16249c57d 1986 optipng_0.7.6-1.dsc
 abc480543b85d227db4a84be80ae2dd8a8e53a66 200670 optipng_0.7.6.orig.tar.gz
 7874a68c483cee09ceba09b1ed18ad8edc115896 5045 optipng_0.7.6-1.debian.tar.bz2
 13131d59a660f2a66edb55784e7f974342f4c31e 86936 optipng-dbgsym_0.7.6-1_amd64.deb
 dfea5ec4f7f720734feb7b33130cec80d2225124 82370 optipng_0.7.6-1_amd64.deb
Checksums-Sha256:
 2f573057f3a086e42cc113bcfbbfe261ea64febc5ff7aa06827f3014d5c66b3d 1986 optipng_0.7.6-1.dsc
 cd7eccd51f15c789e61041b3e03260e2886e74a274c9a6513a1f6db6cce07dc8 200670 optipng_0.7.6.orig.tar.gz
 4beb4c16dc7af4370da95852dc6df23de30f783fbdd4c054dbc449002a530ae2 5045 optipng_0.7.6-1.debian.tar.bz2
 12641220585e1e82abbfde28a3b37622c223fd9d98024b0944b783c68c0b3098 86936 optipng-dbgsym_0.7.6-1_amd64.deb
 1599e8e48790e139c2c57075a8b0b27089ca7061ef5350d554b64a85758d1f2e 82370 optipng_0.7.6-1_amd64.deb
Files:
 aa27c551da35e2cf5a2b532d14e3f709 1986 graphics optional optipng_0.7.6-1.dsc
 c36836166ec3b6a12a75600fdb73e6ce 200670 graphics optional optipng_0.7.6.orig.tar.gz
 064fd868647bc1be18f62b70b7c613fa 5045 graphics optional optipng_0.7.6-1.debian.tar.bz2
 a7e655d729e5ba7583a5f2eb53635489 86936 debug extra optipng-dbgsym_0.7.6-1_amd64.deb
 525301a013aa36c631812de052d9e034 82370 graphics optional optipng_0.7.6-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXCCDEAAoJEEsHdyOSnULDFNAP/i/VaIiHIfvE3i7IU6tdXxCQ
Ht1+Ej6iXKzAnF1aX4ejP3mPhtbfhFNA74ICmystkM8j1wWa+YBPQwJk7YiEekI9
ITNlDSnZcOkNJ4hOK5koQNPF94fIX5n4kjio/JcDKBPXChzQHw8WuU7okphIPlu6
CTGBGJWKXk1hllGQOAGO3yFj2T0AgVEVlxEgF3pWRj73UiAJ1QfRdzfV/p/NoP8k
jMb/PKfhhKbGfF/tDeGs86FWe6C1XID4T8V0OxVCNB6ZIK9FOlWVCtizfLcjQQpe
RtEcwzJtUUdHfHmc4lOcZkud/4b2ivNQHxamzXq97+iR3+xJjqaPLe8fzF4CXa+x
yw7tC3Mcne5nxc5zozhkzOpxn/JHgWaM4UBLP4FXbpW4P4ioX4ADlZQMg6xqko8w
SFIXxwWmX6LzHutyXavkvJkmMA2X1Fx2ZuEIuThq32bD16R5Dj0mQl8fer8aCRQ5
hpL9R+1FSiGJA5I1DMYa+tsSgzi7kCnHVR2jnvvl4i8+y8JBPWlcmQgbWEMLyq53
c0FJVX5TnI2FQt1G/+ToWnotDE2hOGcbUaUcP9bUOSnL/1JX9u7dI1xqbKWScZYT
FMKvgw6wWQnaKFWAPr4qForUUUP1YixnYkqJYZ9FFrLwxRZfDT0o4n449THqthgY
egAZj4G1oYopDll5Mu0Q
=TwBP
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.