[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#819499: marked as done (wheezy-pu: package optipng/0.6.4-1)

Your message dated Sat, 04 Jun 2016 14:54:37 +0100
with message-id <1465048477.7545.10.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixed included in 7.11
has caused the Debian Bug report #819499,
regarding wheezy-pu: package optipng/0.6.4-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
819499: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819499
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

I have prepared a security update for optipng in wheezy to address
CVE-2015-7801. I have contacted the security team but they don't think
this issue warrants a DSA. Please find attached the debdiff.

Regards,

Markus

diff -Nru optipng-0.6.4/debian/changelog optipng-0.6.4/debian/changelog
--- optipng-0.6.4/debian/changelog	2010-03-17 16:26:21.000000000 +0100
+++ optipng-0.6.4/debian/changelog	2016-03-28 23:41:09.000000000 +0200
@@ -1,3 +1,12 @@
+optipng (0.6.4-1+deb7u1) wheezy; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2015-7801:
+    Use-after-free vulnerability in optipng 0.6.4 is causing an invalid/double
+    free.
+
+ -- Markus Koschany <apo@debian.org>  Mon, 28 Mar 2016 23:15:19 +0200
+
 optipng (0.6.4-1) unstable; urgency=low
 
   * New upstream release;
diff -Nru optipng-0.6.4/debian/patches/CVE-2015-7801.patch optipng-0.6.4/debian/patches/CVE-2015-7801.patch
--- optipng-0.6.4/debian/patches/CVE-2015-7801.patch	1970-01-01 01:00:00.000000000 +0100
+++ optipng-0.6.4/debian/patches/CVE-2015-7801.patch	2016-03-28 23:41:09.000000000 +0200
@@ -0,0 +1,34 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 28 Mar 2016 23:13:51 +0200
+Subject: CVE-2015-7801
+
+Fix Use-after-free vulnerability in optipng 0.6.4 is causing an invalid/double
+free.
+---
+ src/opngoptim.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/opngoptim.c b/src/opngoptim.c
+index aab5580..cf55ed6 100644
+--- a/src/opngoptim.c
++++ b/src/opngoptim.c
+@@ -1877,7 +1877,7 @@ opng_initialize(const struct opng_options *init_options,
+ int
+ opng_optimize(const char *infile_name)
+ {
+-   const char *err_msg;
++   const char *err_msg = "";
+    volatile int result;  /* needs not be volatile, but keeps compilers happy */
+ 
+    OPNG_ENSURE(engine.started, "The OptiPNG engine is not running");
+@@ -1906,7 +1906,9 @@ opng_optimize(const char *infile_name)
+       opng_print_error(err_msg);
+       result = -1;
+    }
+-   opng_destroy_image_info();
++   // Don't attempt to free if libpng is confused
++   if (strcmp(err_msg, "Inconsistent data in libpng"))
++       opng_destroy_image_info();
+    usr_printf("\n");
+    return result;
+ }
diff -Nru optipng-0.6.4/debian/patches/series optipng-0.6.4/debian/patches/series
--- optipng-0.6.4/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ optipng-0.6.4/debian/patches/series	2016-03-28 23:41:09.000000000 +0200
@@ -0,0 +1 @@
+CVE-2015-7801.patch

--- End Message ---
--- Begin Message --- 
Version: 7.11

Hi,

The fixes referred to in each of these bugs were included in today's
7.11 point release.

Regards,

Adam

--- End Message ---
Reply to: