--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wheezy-pu: package optipng/0.6.4-1
- From: Markus Koschany <apo@debian.org>
- Date: Tue, 29 Mar 2016 19:16:58 +0200
- Message-id: <145927181815.25885.15709180857221667288.reportbug@conan>
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
I have prepared a security update for optipng in wheezy to address
CVE-2015-7801. I have contacted the security team but they don't think
this issue warrants a DSA. Please find attached the debdiff.
Regards,
Markus
diff -Nru optipng-0.6.4/debian/changelog optipng-0.6.4/debian/changelog
--- optipng-0.6.4/debian/changelog 2010-03-17 16:26:21.000000000 +0100
+++ optipng-0.6.4/debian/changelog 2016-03-28 23:41:09.000000000 +0200
@@ -1,3 +1,12 @@
+optipng (0.6.4-1+deb7u1) wheezy; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2015-7801:
+ Use-after-free vulnerability in optipng 0.6.4 is causing an invalid/double
+ free.
+
+ -- Markus Koschany <apo@debian.org> Mon, 28 Mar 2016 23:15:19 +0200
+
optipng (0.6.4-1) unstable; urgency=low
* New upstream release;
diff -Nru optipng-0.6.4/debian/patches/CVE-2015-7801.patch optipng-0.6.4/debian/patches/CVE-2015-7801.patch
--- optipng-0.6.4/debian/patches/CVE-2015-7801.patch 1970-01-01 01:00:00.000000000 +0100
+++ optipng-0.6.4/debian/patches/CVE-2015-7801.patch 2016-03-28 23:41:09.000000000 +0200
@@ -0,0 +1,34 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 28 Mar 2016 23:13:51 +0200
+Subject: CVE-2015-7801
+
+Fix Use-after-free vulnerability in optipng 0.6.4 is causing an invalid/double
+free.
+---
+ src/opngoptim.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/opngoptim.c b/src/opngoptim.c
+index aab5580..cf55ed6 100644
+--- a/src/opngoptim.c
++++ b/src/opngoptim.c
+@@ -1877,7 +1877,7 @@ opng_initialize(const struct opng_options *init_options,
+ int
+ opng_optimize(const char *infile_name)
+ {
+- const char *err_msg;
++ const char *err_msg = "";
+ volatile int result; /* needs not be volatile, but keeps compilers happy */
+
+ OPNG_ENSURE(engine.started, "The OptiPNG engine is not running");
+@@ -1906,7 +1906,9 @@ opng_optimize(const char *infile_name)
+ opng_print_error(err_msg);
+ result = -1;
+ }
+- opng_destroy_image_info();
++ // Don't attempt to free if libpng is confused
++ if (strcmp(err_msg, "Inconsistent data in libpng"))
++ opng_destroy_image_info();
+ usr_printf("\n");
+ return result;
+ }
diff -Nru optipng-0.6.4/debian/patches/series optipng-0.6.4/debian/patches/series
--- optipng-0.6.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ optipng-0.6.4/debian/patches/series 2016-03-28 23:41:09.000000000 +0200
@@ -0,0 +1 @@
+CVE-2015-7801.patch
--- End Message ---