Control: tags 878839 + patch
Control: tags 878839 + pending
Control: tags 882032 + pending
Dear maintainer,
I've prepared an NMU for optipng (versioned as 0.7.6-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
diff -Nru optipng-0.7.6/debian/changelog optipng-0.7.6/debian/changelog
--- optipng-0.7.6/debian/changelog 2016-04-08 23:13:43.000000000 +0200
+++ optipng-0.7.6/debian/changelog 2017-12-07 20:43:29.000000000 +0100
@@ -1,3 +1,13 @@
+optipng (0.7.6-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Prevent integer overflow in minitiff_read_info() (CVE-2017-1000229)
+ (Closes: #882032)
+ * gifread: Detect indirect circular dependencies in LZW tables
+ (CVE-2017-16938) (Closes: #878839)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Thu, 07 Dec 2017 20:43:29 +0100
+
optipng (0.7.6-1) unstable; urgency=medium
* New upstream release
diff -Nru optipng-0.7.6/debian/patches/CVE-2017-1000229 optipng-0.7.6/debian/patches/CVE-2017-1000229
--- optipng-0.7.6/debian/patches/CVE-2017-1000229 1970-01-01 01:00:00.000000000 +0100
+++ optipng-0.7.6/debian/patches/CVE-2017-1000229 2017-12-07 20:43:29.000000000 +0100
@@ -0,0 +1,25 @@
+From 77ac8e9fd9b2c1aeec3951e2bb50f7cc2c1e92d2 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebast...@pipping.org>
+Date: Sun, 19 Nov 2017 16:04:26 +0100
+Subject: [PATCH] Prevent integer overflow (bug #65, CVE-2017-1000229)
+
+---
+ src/minitiff/tiffread.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/minitiff/tiffread.c b/src/minitiff/tiffread.c
+index b4910ec..5f9b376 100644
+--- a/src/minitiff/tiffread.c
++++ b/src/minitiff/tiffread.c
+@@ -350,6 +350,8 @@ minitiff_read_info(struct minitiff_info *tiff_ptr, FILE *fp)
+ count = tiff_ptr->strip_offsets_count;
+ if (count == 0 || count > tiff_ptr->height)
+ goto err_invalid;
++ if (count > (size_t)-1 / sizeof(long))
++ goto err_memory;
+ tiff_ptr->strip_offsets = (long *)malloc(count * sizeof(long));
+ if (tiff_ptr->strip_offsets == NULL)
+ goto err_memory;
+--
+2.14.2
+
diff -Nru optipng-0.7.6/debian/patches/CVE-2017-16938 optipng-0.7.6/debian/patches/CVE-2017-16938
--- optipng-0.7.6/debian/patches/CVE-2017-16938 1970-01-01 01:00:00.000000000 +0100
+++ optipng-0.7.6/debian/patches/CVE-2017-16938 2017-12-07 20:43:29.000000000 +0100
@@ -0,0 +1,23 @@
+From e05fb81a20541833a2d62ce08552b18c0920b9a1 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctr...@gmail.com>
+Date: Sat, 25 Nov 2017 23:17:46 -0500
+Subject: [PATCH] gifread: Detect indirect circular dependencies in LZW tables
+
+---
+ src/gifread/gifread.c | 4 +++-
+ src/gifread/gifread.h | 2 +-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/gifread/gifread.c b/src/gifread/gifread.c
+index 0123456789abcdef..0123456789abcdef 100644
+--- a/src/gifread/gifread.c
++++ b/src/gifread/gifread.c
+@@ -499,6 +499,8 @@ static int LZWReadByte(int init_flag, int input_code_size, FILE *stream)
+ *sp++ = table[1][code];
+ if (code == table[0][code])
+ GIFError("GIF/LZW error: circular table entry");
++ if ((size_t)(sp - stack) >= sizeof(stack) / sizeof(stack[0]))
++ GIFError("GIF/LZW error: circular table");
+ code = table[0][code];
+ }
+
diff -Nru optipng-0.7.6/debian/patches/series optipng-0.7.6/debian/patches/series
--- optipng-0.7.6/debian/patches/series 2016-04-08 22:43:41.000000000 +0200
+++ optipng-0.7.6/debian/patches/series 2017-12-07 20:43:29.000000000 +0100
@@ -1 +1,3 @@
fix_typo_in_manpage
+CVE-2017-1000229
+CVE-2017-16938
