Bug#819499: wheezy-pu: package optipng/0.6.4-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#819499: wheezy-pu: package optipng/0.6.4-1
From: Markus Koschany <apo@debian.org>
Date: Tue, 29 Mar 2016 19:16:58 +0200
Message-id: <[🔎] 145927181815.25885.15709180857221667288.reportbug@conan>
Reply-to: Markus Koschany <apo@debian.org>, 819499@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

I have prepared a security update for optipng in wheezy to address
CVE-2015-7801. I have contacted the security team but they don't think
this issue warrants a DSA. Please find attached the debdiff.

Regards,

Markus

diff -Nru optipng-0.6.4/debian/changelog optipng-0.6.4/debian/changelog
--- optipng-0.6.4/debian/changelog	2010-03-17 16:26:21.000000000 +0100
+++ optipng-0.6.4/debian/changelog	2016-03-28 23:41:09.000000000 +0200
@@ -1,3 +1,12 @@
+optipng (0.6.4-1+deb7u1) wheezy; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2015-7801:
+    Use-after-free vulnerability in optipng 0.6.4 is causing an invalid/double
+    free.
+
+ -- Markus Koschany <apo@debian.org>  Mon, 28 Mar 2016 23:15:19 +0200
+
 optipng (0.6.4-1) unstable; urgency=low
 
   * New upstream release;
diff -Nru optipng-0.6.4/debian/patches/CVE-2015-7801.patch optipng-0.6.4/debian/patches/CVE-2015-7801.patch
--- optipng-0.6.4/debian/patches/CVE-2015-7801.patch	1970-01-01 01:00:00.000000000 +0100
+++ optipng-0.6.4/debian/patches/CVE-2015-7801.patch	2016-03-28 23:41:09.000000000 +0200
@@ -0,0 +1,34 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 28 Mar 2016 23:13:51 +0200
+Subject: CVE-2015-7801
+
+Fix Use-after-free vulnerability in optipng 0.6.4 is causing an invalid/double
+free.
+---
+ src/opngoptim.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/opngoptim.c b/src/opngoptim.c
+index aab5580..cf55ed6 100644
+--- a/src/opngoptim.c
++++ b/src/opngoptim.c
+@@ -1877,7 +1877,7 @@ opng_initialize(const struct opng_options *init_options,
+ int
+ opng_optimize(const char *infile_name)
+ {
+-   const char *err_msg;
++   const char *err_msg = "";
+    volatile int result;  /* needs not be volatile, but keeps compilers happy */
+ 
+    OPNG_ENSURE(engine.started, "The OptiPNG engine is not running");
+@@ -1906,7 +1906,9 @@ opng_optimize(const char *infile_name)
+       opng_print_error(err_msg);
+       result = -1;
+    }
+-   opng_destroy_image_info();
++   // Don't attempt to free if libpng is confused
++   if (strcmp(err_msg, "Inconsistent data in libpng"))
++       opng_destroy_image_info();
+    usr_printf("\n");
+    return result;
+ }
diff -Nru optipng-0.6.4/debian/patches/series optipng-0.6.4/debian/patches/series
--- optipng-0.6.4/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ optipng-0.6.4/debian/patches/series	2016-03-28 23:41:09.000000000 +0200
@@ -0,0 +1 @@
+CVE-2015-7801.patch

Reply to:

Follow-Ups:
- Bug#819499: wheezy-pu: package optipng/0.6.4-1
  - From: Markus Koschany <apo@debian.org>
- Bug#819499: wheezy-pu: package optipng/0.6.4-1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#819491: transition: libfm-qt
Next by Date: Bug#819499: wheezy-pu: package optipng/0.6.4-1
Previous by thread: Bug#819491: libfm-qt and pcmanfm-qt uploaded
Next by thread: Bug#819499: wheezy-pu: package optipng/0.6.4-1
Index(es):
- Date
- Thread