GNU bug report logs - #29486
[PATCH] gnu: optipng: Fix CVE-2017-1000229.

Previous Next

Package: guix-patches;

Reported by: Marius Bakke <mbakke <at> fastmail.com>

Date: Tue, 28 Nov 2017 17:03:02 UTC

Severity: normal

Tags: fixed, patch

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 29486 in the body.
You can then email your comments to 29486 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#29486; Package guix-patches. (Tue, 28 Nov 2017 17:03:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Marius Bakke <mbakke <at> fastmail.com>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Tue, 28 Nov 2017 17:03:03 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: guix-patches <at> gnu.org
Cc: Marius Bakke <mbakke <at> fastmail.com>
Subject: [PATCH] gnu: optipng: Fix CVE-2017-1000229.
Date: Tue, 28 Nov 2017 18:01:50 +0100

* gnu/packages/image.scm (optipng)[source](patches): New field.
* gnu/packages/patches/optipng-CVE-2017-1000229.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/image.scm                             |  1 +
 .../patches/optipng-CVE-2017-1000229.patch         | 22 ++++++++++++++++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 gnu/packages/patches/optipng-CVE-2017-1000229.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index ebff7084b..26845954e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -938,6 +938,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/openssl-runpath.patch			\
   %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch		\
   %D%/packages/patches/openssl-c-rehash-in.patch		\
+  %D%/packages/patches/optipng-CVE-2017-1000229.patch		\
   %D%/packages/patches/orpheus-cast-errors-and-includes.patch	\
   %D%/packages/patches/osip-CVE-2017-7853.patch			\
   %D%/packages/patches/ots-no-include-missing-file.patch	\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 0e1f02556..b9f1ef234 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -1095,6 +1095,7 @@ installed as @code{stb_image}.")
        (method url-fetch)
        (uri (string-append "http://prdownloads.sourceforge.net/optipng/optipng-"
                            version ".tar.gz"))
+       (patches (search-patches "optipng-CVE-2017-1000229.patch"))
        (sha256
         (base32
          "105yk5qykvhiahzag67gm36s2kplxf6qn5hay02md0nkrcgn6w28"))))
diff --git a/gnu/packages/patches/optipng-CVE-2017-1000229.patch b/gnu/packages/patches/optipng-CVE-2017-1000229.patch
new file mode 100644
index 000000000..2cb3b2f21
--- /dev/null
+++ b/gnu/packages/patches/optipng-CVE-2017-1000229.patch
@@ -0,0 +1,22 @@
+Fix CVE-2017-1000229:
+
+https://security-tracker.debian.org/tracker/CVE-2017-1000229
+https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000229.html
+https://nvd.nist.gov/vuln/detail/CVE-2017-1000229
+
+Patch copied from upstream bug tracker:
+https://sourceforge.net/p/optipng/bugs/65/
+
+diff --git a/src/minitiff/tiffread.c b/src/minitiff/tiffread.c
+index b4910ec..5f9b376 100644
+--- a/src/minitiff/tiffread.c
++++ b/src/minitiff/tiffread.c
+@@ -350,6 +350,8 @@ minitiff_read_info(struct minitiff_info *tiff_ptr, FILE *fp)
+         count = tiff_ptr->strip_offsets_count;
+         if (count == 0 || count > tiff_ptr->height)
+             goto err_invalid;
++        if (count > (size_t)-1 / sizeof(long))
++            goto err_memory;
+         tiff_ptr->strip_offsets = (long *)malloc(count * sizeof(long));
+         if (tiff_ptr->strip_offsets == NULL)
+             goto err_memory;
-- 
2.15.0
Information forwarded to guix-patches <at> gnu.org:
bug#29486; Package guix-patches. (Tue, 28 Nov 2017 18:21:01 GMT) Full text and rfc822 format available.

Message #8 received at 29486 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 29486 <at> debbugs.gnu.org
Subject: Re: [bug#29486] [PATCH] gnu: optipng: Fix CVE-2017-1000229.
Date: Tue, 28 Nov 2017 13:20:02 -0500

[Message part 1 (text/plain, inline)]
On Tue, Nov 28, 2017 at 06:01:50PM +0100, Marius Bakke wrote:
> * gnu/packages/image.scm (optipng)[source](patches): New field.
> * gnu/packages/patches/optipng-CVE-2017-1000229.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.

LGTM, thanks!

[signature.asc (application/pgp-signature, inline)]
Added tag(s) fixed. Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Thu, 30 Nov 2017 15:04:02 GMT) Full text and rfc822 format available.
bug closed, send any further explanations to 29486 <at> debbugs.gnu.org and Marius Bakke <mbakke <at> fastmail.com> Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Thu, 30 Nov 2017 15:04:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 29 Dec 2017 12:24:06 GMT) Full text and rfc822 format available.
This bug report was last modified 7 years and 178 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.