From unknown Mon Jun 23 23:50:15 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#29486 <29486@debbugs.gnu.org> To: bug#29486 <29486@debbugs.gnu.org> Subject: Status: [PATCH] gnu: optipng: Fix CVE-2017-1000229. Reply-To: bug#29486 <29486@debbugs.gnu.org> Date: Tue, 24 Jun 2025 06:50:15 +0000 retitle 29486 [PATCH] gnu: optipng: Fix CVE-2017-1000229. reassign 29486 guix-patches submitter 29486 Marius Bakke severity 29486 normal tag 29486 patch fixed thanks From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 28 12:02:23 2017 Received: (at submit) by debbugs.gnu.org; 28 Nov 2017 17:02:23 +0000 Received: from localhost ([127.0.0.1]:34846 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eJjH4-0001Zr-Om for submit@debbugs.gnu.org; Tue, 28 Nov 2017 12:02:23 -0500 Received: from eggs.gnu.org ([208.118.235.92]:41882) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eJjH0-0001Zb-6D for submit@debbugs.gnu.org; Tue, 28 Nov 2017 12:02:20 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eJjGr-0008Eu-16 for submit@debbugs.gnu.org; Tue, 28 Nov 2017 12:02:13 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: *** X-Spam-Status: No, score=3.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID,UNWANTED_LANGUAGE_BODY,UNWANTED_LANGUAGE_FREEMAIL autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:37452) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eJjGq-0008Ei-SF for submit@debbugs.gnu.org; Tue, 28 Nov 2017 12:02:08 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60955) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eJjGm-000054-AX for guix-patches@gnu.org; Tue, 28 Nov 2017 12:02:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eJjGi-0008CA-5t for guix-patches@gnu.org; Tue, 28 Nov 2017 12:02:04 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:54031) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eJjGi-0008Bx-00 for guix-patches@gnu.org; Tue, 28 Nov 2017 12:02:00 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 5B1CF20D06; Tue, 28 Nov 2017 12:01:59 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute5.internal (MEProxy); Tue, 28 Nov 2017 12:01:59 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=1obyhwGDB3UX6t6Ia4lRIkdnuuGtmPtw9YmFEuYzJ l8=; b=vrmltTXuie7qcramKOzFKMldlVkhUNvrRXOzVeqToP0yWKNNOv285kw5v RvDtCtHoJpLThw3YJCn4/hoIJpr1a/wC9CejUgnPfCRyRhy2xDgxUa54PJq5NRc6 G86HhFU4QNBbakcWaWbvfZyyXyuLo+WzgCUKu+DuuZcPUIUfzcJmlx5uFn+rdJMv 8EBH878qNC6dXOG+I2HNqMTx7njnRiBS+KJxO2BrXt2QG97lMTK2vKFG6DJfe397 gyksQiQC9NTB5PbubvYJVs9VyH5WQnoNWnuSwxTjxnuGnsVjUr7X46h34Gk7U5+S xC2re623B+QK6kPYTQu2yTANoLjcw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=1obyhwGDB3UX6t6Ia 4lRIkdnuuGtmPtw9YmFEuYzJl8=; b=WZ7V6uM1rnQXfFZ7Tz05h7Cb9mnesCN78 1qNDrLakiQ/3mKCzNCj36l6KycAk2jU1/xq29+M0gpXyGZbjOcjoERR1ofAWwLCH 4ndH5I8eOwsXDTHN3QByLfMxqqsimkgEn2B2xdSljugZZ5XSKVH8P9eF9KwPp5k3 a7wTjqUrkA75JSoCFqwpIW6QyWI0safDi0zWjXn/LhnHeldB7fp6B/ropwnmJEl5 DOOFgjJCaJ7XmR4PnC4jWbQPlLyI5VtrKwSTirxE2QVe15YyLg9Yakhb+754y2RL RbnjexU8OR+XVWSW7M/P29P6FPxCrTumGWt2zlSat0w505376dPrg== X-ME-Sender: Received: from localhost (cm-84.214.173.174.getinternet.no [84.214.173.174]) by mail.messagingengine.com (Postfix) with ESMTPA id C54FC7F882; Tue, 28 Nov 2017 12:01:58 -0500 (EST) From: Marius Bakke To: guix-patches@gnu.org Subject: [PATCH] gnu: optipng: Fix CVE-2017-1000229. Date: Tue, 28 Nov 2017 18:01:50 +0100 Message-Id: <20171128170150.29946-1-mbakke@fastmail.com> X-Mailer: git-send-email 2.15.0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.4 (----) X-Debbugs-Envelope-To: submit Cc: Marius Bakke X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.4 (----) * gnu/packages/image.scm (optipng)[source](patches): New field. * gnu/packages/patches/optipng-CVE-2017-1000229.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/image.scm | 1 + .../patches/optipng-CVE-2017-1000229.patch | 22 ++++++++++++++++++++++ 3 files changed, 24 insertions(+) create mode 100644 gnu/packages/patches/optipng-CVE-2017-1000229.patch diff --git a/gnu/local.mk b/gnu/local.mk index ebff7084b..26845954e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -938,6 +938,7 @@ dist_patch_DATA = \ %D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ + %D%/packages/patches/optipng-CVE-2017-1000229.patch \ %D%/packages/patches/orpheus-cast-errors-and-includes.patch \ %D%/packages/patches/osip-CVE-2017-7853.patch \ %D%/packages/patches/ots-no-include-missing-file.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 0e1f02556..b9f1ef234 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -1095,6 +1095,7 @@ installed as @code{stb_image}.") (method url-fetch) (uri (string-append "http://prdownloads.sourceforge.net/optipng/optipng-" version ".tar.gz")) + (patches (search-patches "optipng-CVE-2017-1000229.patch")) (sha256 (base32 "105yk5qykvhiahzag67gm36s2kplxf6qn5hay02md0nkrcgn6w28")))) diff --git a/gnu/packages/patches/optipng-CVE-2017-1000229.patch b/gnu/packages/patches/optipng-CVE-2017-1000229.patch new file mode 100644 index 000000000..2cb3b2f21 --- /dev/null +++ b/gnu/packages/patches/optipng-CVE-2017-1000229.patch @@ -0,0 +1,22 @@ +Fix CVE-2017-1000229: + +https://security-tracker.debian.org/tracker/CVE-2017-1000229 +https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000229.html +https://nvd.nist.gov/vuln/detail/CVE-2017-1000229 + +Patch copied from upstream bug tracker: +https://sourceforge.net/p/optipng/bugs/65/ + +diff --git a/src/minitiff/tiffread.c b/src/minitiff/tiffread.c +index b4910ec..5f9b376 100644 +--- a/src/minitiff/tiffread.c ++++ b/src/minitiff/tiffread.c +@@ -350,6 +350,8 @@ minitiff_read_info(struct minitiff_info *tiff_ptr, FILE *fp) + count = tiff_ptr->strip_offsets_count; + if (count == 0 || count > tiff_ptr->height) + goto err_invalid; ++ if (count > (size_t)-1 / sizeof(long)) ++ goto err_memory; + tiff_ptr->strip_offsets = (long *)malloc(count * sizeof(long)); + if (tiff_ptr->strip_offsets == NULL) + goto err_memory; -- 2.15.0 From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 28 13:20:08 2017 Received: (at 29486) by debbugs.gnu.org; 28 Nov 2017 18:20:08 +0000 Received: from localhost ([127.0.0.1]:35036 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eJkUK-0007Nh-Hk for submit@debbugs.gnu.org; Tue, 28 Nov 2017 13:20:08 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:53493) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eJkUG-0007NW-QO for 29486@debbugs.gnu.org; Tue, 28 Nov 2017 13:20:07 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id A99D620CB8; Tue, 28 Nov 2017 13:20:04 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Tue, 28 Nov 2017 13:20:04 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=zdoDWq1ByY4Tojn1Oorib/gaTK/pxilghaxyV4zYXxI=; b=xtTM8 CYlzFhnGno6g/Oiy1Z8ilnOvHcVYv5SNuZwWsqkUNCMSYuC9Gr/rNFOKhYeLHfiI w6LwVbza3T5ETigLnBNPn4m/WbW0gg5ZNv00azBzpCn/OePRogixVxctAoUYJG3k geZo0CKCRKQsBFrjzJfeyk0ws3+23R8ED+ngQo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=zdoDWq1ByY4Tojn1Oorib/gaTK/px ilghaxyV4zYXxI=; b=dMSNAVwJ/sW63sqmqT4eJd+Qmeb7bYv3WDkdd13LaufrL kPVgbjS53sGoxp97MkZQP6GU5i+W2HoVPmz99i7x/7KrUH/GWJz9a+Mc6r9EYv2h r4h8uKvnkyLSnHIvaO5pCbTpwHlVaXHPR3EXaaJfuFLeiM/Ov2W8hyemM+DAM/d1 QhqaVtTPhdhhLgD1ne3KAB29mQlX73MB4j3LRYCe8Qx0IXvSOMxqJYk52SvADylO 7JsTUS4a/bQ0ZNjqxM6pPEIkyox5J5/bTnJc5k02gWvjZkXEvTfhBG7TXxfSwOyx p7k/CXY7cRFoxSWQdFDbzk1l1Zmk5cDpfYI9sgkCg== X-ME-Sender: Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id 0BC767FAEA; Tue, 28 Nov 2017 13:20:04 -0500 (EST) Date: Tue, 28 Nov 2017 13:20:02 -0500 From: Leo Famulari To: Marius Bakke Subject: Re: [bug#29486] [PATCH] gnu: optipng: Fix CVE-2017-1000229. Message-ID: <20171128182002.GE14200@jasmine.lan> References: <20171128170150.29946-1-mbakke@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="SWTRyWv/ijrBap1m" Content-Disposition: inline In-Reply-To: <20171128170150.29946-1-mbakke@fastmail.com> User-Agent: Mutt/1.9.1 (2017-09-22) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 29486 Cc: 29486@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --SWTRyWv/ijrBap1m Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Nov 28, 2017 at 06:01:50PM +0100, Marius Bakke wrote: > * gnu/packages/image.scm (optipng)[source](patches): New field. > * gnu/packages/patches/optipng-CVE-2017-1000229.patch: New file. > * gnu/local.mk (dist_patch_DATA): Register it. LGTM, thanks! --SWTRyWv/ijrBap1m Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlodqNIACgkQJkb6MLrK fwjdmhAAzB8kZCIDSPBfUz+IY8nwyb8WfdgxsUO7rs4t6qXNjhbBi/QKDvz7Nhq8 QdeNdicd5Z0yaDL0c4pa/GTfZuIILHZ18lf7n0WbpqIGdeuXR7F7dKB//SrcwzNx pm98X+QpEUivq8bY0Klw1nozZZRmPmFlCYDH4UHTobO/fK6BtqTEeT8dTpSdL2ep sFKX4yugoemWR6lASEC0bSOY0SSShxVKHvib2VSErrYtcNpkwQ0fDhRxYEevpzbd otldHpcfAt6w4Da90GExQ+WpDKzzzwS9s7qEnkRPHhm+C3eoMAYzA59zLhrhVuQr VIbV48UMGe7Fe4uYfvY3IORjLtrvVdHjRJui52YQDyeRs16rod0ke62Noy75aKpr ZlEmBfpNBw0r5cAIvY3y1Tu72Tn+AgBhNXDUe1fG/kRlKUWu2Ll+oR1wsPFIOUrX wfr8F2es8Gf3KKxPQ3EXenWyKZuohX3oLy2ooFLPIbKvBJbdENqIownEZf61cWHN 9ml1K4oykn+jkXNi9GJBA+vp9vAPKBU/jhKGmqwZcBPg4rWxgwV35xWJEuDmqRih NpmhhIItO0vWZbYNvYWQmmEpPOq68AeZXhH+oqa0N+qil2qmN2Mu0oWzDBp0pA2Q Y1ENe3h3wjF7tPGw7ZN11xgoXls64PZZBt27Y2sNFB4CVGuqEzA= =BuCS -----END PGP SIGNATURE----- --SWTRyWv/ijrBap1m-- From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 30 10:03:41 2017 Received: (at control) by debbugs.gnu.org; 30 Nov 2017 15:03:41 +0000 Received: from localhost ([127.0.0.1]:38508 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKQNJ-0004O5-Eb for submit@debbugs.gnu.org; Thu, 30 Nov 2017 10:03:41 -0500 Received: from [141.255.128.1] (port=60098 helo=hera.aquilenet.fr) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKQNH-0004Nu-K7 for control@debbugs.gnu.org; Thu, 30 Nov 2017 10:03:40 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 810E4EF38 for ; Thu, 30 Nov 2017 16:03:41 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id njl1Nf_gz-JG for ; Thu, 30 Nov 2017 16:03:41 +0100 (CET) Received: from ribbon (unknown [193.50.110.211]) by hera.aquilenet.fr (Postfix) with ESMTPSA id F1604EE7F for ; Thu, 30 Nov 2017 16:03:40 +0100 (CET) Date: Thu, 30 Nov 2017 16:03:37 +0100 Message-Id: <87wp273j1y.fsf@gnu.org> To: control@debbugs.gnu.org From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: control message for bug #29486 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 2.2 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 29486 fixed close 29486 [...] Content analysis details: (2.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo; id=hera.aquilenet.fr; ip=141.255.128.1; r=debbugs.gnu.org] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.2 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 29486 fixed close 29486 [...] Content analysis details: (2.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=hera.aquilenet.fr;ip=141.255.128.1;r=debbugs.gnu.org] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS tags 29486 fixed close 29486 From unknown Mon Jun 23 23:50:15 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 29 Dec 2017 12:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator