Control: tags 820068 + patch Control: tags 820068 + pending Dear maintainer,
I've prepared an NMU for optipng (versioned as 0.7.5-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. It is exactly the same patch as used by Moritz for the jessie-security upload. Better would be though to straight go to 0.7.6. Regards, Salvatore
diff -Nru optipng-0.7.5/debian/changelog optipng-0.7.5/debian/changelog --- optipng-0.7.5/debian/changelog 2014-06-11 13:48:44.000000000 +0200 +++ optipng-0.7.5/debian/changelog 2016-04-08 06:53:53.000000000 +0200 @@ -1,3 +1,12 @@ +optipng (0.7.5-1.1) unstable; urgency=high + + * Non-maintainer upload. + * CVE-2016-2191: Invalid write while processing delta escapes without + any boundary checking (Patch from Moritz Muehlenhoff from the jessie- + security upload) (Closes: #820068) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 08 Apr 2016 06:26:14 +0200 + optipng (0.7.5-1) unstable; urgency=medium * New upstream release (Closes: #687770) diff -Nru optipng-0.7.5/debian/patches/CVE-2016-2191.patch optipng-0.7.5/debian/patches/CVE-2016-2191.patch --- optipng-0.7.5/debian/patches/CVE-2016-2191.patch 1970-01-01 01:00:00.000000000 +0100 +++ optipng-0.7.5/debian/patches/CVE-2016-2191.patch 2016-04-08 06:53:53.000000000 +0200 @@ -0,0 +1,140 @@ +Description: CVE-2016-2191: Invalid write while processing delta escapes without any boundary checking +Origin: upstream +Bug: https://sourceforge.net/p/optipng/bugs/59/ +Bug-Debian: https://bugs.debian.org/820068 +Forwarded: not-needed +Author: Moritz Muehlenhoff <j...@debian.org> +Last-Update: 2016-04-08 +Applied-Upstream: 0.7.6 + +--- optipng-0.7.5.orig/src/pngxtern/pngxrbmp.c ++++ optipng-0.7.5/src/pngxtern/pngxrbmp.c +@@ -108,17 +108,17 @@ bmp_get_dword(png_bytep ptr) + + + /*****************************************************************************/ +-/* BMP RLE helpers */ ++/* BMP helpers */ + /*****************************************************************************/ + + static void +-bmp_rle8_memset(png_bytep ptr, size_t offset, int ch, size_t len) ++bmp_memset_bytes(png_bytep ptr, size_t offset, int ch, size_t len) + { + memset(ptr + offset, ch, len); + } + + static void +-bmp_rle4_memset(png_bytep ptr, size_t offset, int ch, size_t len) ++bmp_memset_halfbytes(png_bytep ptr, size_t offset, int ch, size_t len) + { + if (len == 0) + return; +@@ -136,7 +136,7 @@ bmp_rle4_memset(png_bytep ptr, size_t of + } + + static size_t +-bmp_rle8_fread(png_bytep ptr, size_t offset, size_t len, FILE *stream) ++bmp_fread_bytes(png_bytep ptr, size_t offset, size_t len, FILE *stream) + { + size_t result; + +@@ -147,15 +147,17 @@ bmp_rle8_fread(png_bytep ptr, size_t off + } + + static size_t +-bmp_rle4_fread(png_bytep ptr, size_t offset, size_t len, FILE *stream) ++bmp_fread_halfbytes(png_bytep ptr, size_t offset, size_t len, FILE *stream) + { + size_t result; + int ch; + ++ if (len == 0) ++ return 0; + ptr += offset / 2; + if (offset & 1) /* use half-byte operations at odd offset */ + { +- for (result = 0; result < len; result += 2) ++ for (result = 0; result < len - 1; result += 2) + { + ch = getc(stream); + if (ch == EOF) +@@ -231,14 +233,14 @@ bmp_read_rows(png_bytepp begin_row, png_ + endn = row_size * 2; + if (endn <= row_size) + return 0; /* overflow */ +- bmp_memset_fn = bmp_rle4_memset; +- bmp_fread_fn = bmp_rle4_fread; ++ bmp_memset_fn = bmp_memset_halfbytes; ++ bmp_fread_fn = bmp_fread_halfbytes; + } + else + { + endn = row_size; +- bmp_memset_fn = bmp_rle8_memset; +- bmp_fread_fn = bmp_rle8_fread; ++ bmp_memset_fn = bmp_memset_bytes; ++ bmp_fread_fn = bmp_fread_bytes; + } + + if (compression == BI_RGB || compression == BI_BITFIELDS) +@@ -258,19 +260,14 @@ bmp_read_rows(png_bytepp begin_row, png_ + if (compression == BI_RLE8) + { + endn = row_size; +- bmp_memset_fn = bmp_rle8_memset; +- bmp_fread_fn = bmp_rle8_fread; + } +- else /* BI_RLE4 */ ++ else /* BI_RLE4 */ + { + endn = row_size * 2; + if (endn <= row_size) + return 0; /* overflow */ +- bmp_memset_fn = bmp_rle4_memset; +- bmp_fread_fn = bmp_rle4_fread; + } +- crt_row = begin_row; +- for ( ; ; ) ++ for (crt_row = begin_row; crt_row != end_row; ) + { + ch = getc(stream); b1 = (unsigned int)ch; + ch = getc(stream); b2 = (unsigned int)ch; +@@ -300,6 +297,7 @@ bmp_read_rows(png_bytepp begin_row, png_ + { + bmp_memset_fn(*crt_row, crtn, 0, endn - crtn); + crt_row += inc; ++ crtn = 0; + result = (begin_row <= end_row) ? + (end_row - begin_row) : (begin_row - end_row); + break; /* the rest is wiped out at the end */ +@@ -311,16 +309,17 @@ bmp_read_rows(png_bytepp begin_row, png_ + if (ch == EOF) + break; + dcrtn = (b1 < endn - crtn) ? (crtn + b1) : endn; +- if (b2 > (size_t)((end_row - crt_row) * inc)) +- b2 = (unsigned int)((end_row - crt_row) * inc); + for ( ; b2 > 0; --b2) + { + bmp_memset_fn(*crt_row, crtn, 0, endn - crtn); + crt_row += inc; + crtn = 0; + ++result; ++ if (crt_row == end_row) ++ break; + } +- bmp_memset_fn(*crt_row, crtn, 0, dcrtn - crtn); ++ if (crt_row != end_row) ++ bmp_memset_fn(*crt_row, crtn, 0, dcrtn - crtn); + } + else /* b2 >= 3 bytes in absolute mode */ + { +@@ -566,7 +565,7 @@ pngx_read_bmp(png_structp png_ptr, png_i + rgba_mask[1] = 0x03e0; + rgba_mask[2] = 0x001f; + } +- else /* pixdepth == 24 || pixdepth == 32 */ ++ else /* pixdepth == 24 || pixdepth == 32 */ + { + rgba_mask[0] = (png_uint_32)0x00ff0000L; + rgba_mask[1] = (png_uint_32)0x0000ff00L; diff -Nru optipng-0.7.5/debian/patches/series optipng-0.7.5/debian/patches/series --- optipng-0.7.5/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ optipng-0.7.5/debian/patches/series 2016-04-08 06:53:53.000000000 +0200 @@ -0,0 +1 @@ +CVE-2016-2191.patch
