[Pkg-phototools-devel] Bug#882032: optipng: CVE-2017-1000229: Integer Overflow Bug while parsing TIFF input file

Salvatore Bonaccorso carnil at debian.org
Fri Nov 17 19:17:07 UTC 2017 

Source: optipng
Version: 0.7.6-1
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/optipng/bugs/65/

Hi,

the following vulnerability was published for optipng.

CVE-2017-1000229[0]:
| Integer overflow bug in function minitiff_read_info() of optipng 0.7.6
| allows an attacker to remotely execute code or cause denial of
| service.

With the poc.tiff on upstream bug:

==9473== Memcheck, a memory error detector
==9473== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==9473== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==9473== Command: optipng poc.tiff
==9473== 
** Processing: poc.tiff
==9473== Invalid write of size 4
==9473==    at 0x109C53: read_ulong_values (tiffread.c:131)
==9473==    by 0x117504: minitiff_read_info (tiffread.c:358)
==9473==    by 0x114B07: pngx_read_tiff (pngxrtif.c:85)
==9473==    by 0x11272C: pngx_read_image (pngxread.c:130)
==9473==    by 0x10CABF: opng_read_file (optim.c:939)
==9473==    by 0x10DE99: opng_optimize_impl (optim.c:1503)
==9473==    by 0x10EC28: opng_optimize (optim.c:1853)
==9473==    by 0x10A30E: process_files (optipng.c:941)
==9473==    by 0x10A30E: main (optipng.c:975)
==9473==  Address 0x4aa56cc is 0 bytes after a block of size 4 alloc'd
==9473==    at 0x482E2BC: malloc (vg_replace_malloc.c:299)
==9473==    by 0x1174CA: minitiff_read_info (tiffread.c:353)
==9473==    by 0x114B07: pngx_read_tiff (pngxrtif.c:85)
==9473==    by 0x11272C: pngx_read_image (pngxread.c:130)
==9473==    by 0x10CABF: opng_read_file (optim.c:939)
==9473==    by 0x10DE99: opng_optimize_impl (optim.c:1503)
==9473==    by 0x10EC28: opng_optimize (optim.c:1853)
==9473==    by 0x10A30E: process_files (optipng.c:941)
==9473==    by 0x10A30E: main (optipng.c:975)
==9473== 
Error: Error reading TIFF file

** Status report
1 file(s) have been processed.
1 error(s) have been encountered.
==9473== 
==9473== HEAP SUMMARY:
==9473==     in use at exit: 4 bytes in 1 blocks
==9473==   total heap usage: 5 allocs, 4 frees, 5,600 bytes allocated
==9473== 
==9473== LEAK SUMMARY:
==9473==    definitely lost: 4 bytes in 1 blocks
==9473==    indirectly lost: 0 bytes in 0 blocks
==9473==      possibly lost: 0 bytes in 0 blocks
==9473==    still reachable: 0 bytes in 0 blocks
==9473==         suppressed: 0 bytes in 0 blocks
==9473== Rerun with --leak-check=full to see details of leaked memory
==9473== 
==9473== For counts of detected and suppressed errors, rerun with: -v
==9473== ERROR SUMMARY: 262143 errors from 1 contexts (suppressed: 0 from 0)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-1000229
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000229

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Pkg-phototools-devel mailing list