Bug 1215937 (CVE-2023-43907)

Summary: VUL-0: CVE-2023-43907: optipng: global buffer overflow via the 'buffer' variable at gifread.c
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: gabriele.sonnu, meissner
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/380479/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-04 09:15:12 UTC 
OptiPNG v0.7.7 was discovered to contain a global buffer overflow via the 'buffer' variable at gifread.c.

References:
https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/optipng-global-buffer-overflow1/optipng-global-buffer-overflow1.md
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43907
Comment 1 Gabriele Sonnu 2023-10-04 09:16:30 UTC 
Tracking as affected:

- openSUSE:Backports:SLE-15-SP4/optipng
- openSUSE:Backports:SLE-15-SP5/optipng
- openSUSE:Factory/optipng
Comment 2 Petr Gajdos 2023-10-05 12:48:07 UTC 
https://sourceforge.net/p/optipng/bugs/87/

no reaction from upstream sofar
Comment 3 Petr Gajdos 2023-10-09 10:13:09 UTC 
I cannot reproduce the bug with asan:

:/215937 # ldd /usr/bin/optipng | grep asan
	libasan.so.8 => /lib64/libasan.so.8 (0x00007f432c800000)
:/215937 # optipng -o4 POCoptipng -zm 3 -zc 1 -zw 256 -snip -out optipngtest.png
** Processing: POCoptipng
Warning: Bogus data in GIF file
Error: Unexpected end of GIF file

** Status report
1 file(s) have been processed.
1 error(s) have been encountered.
:/215937 #


nor valgrind:

$ valgrind  -q optipng -o4 POCoptipng -zm 3 -zc 1 -zw 256 -snip -out optipngtest.png
** Processing: POCoptipng
Warning: Bogus data in GIF file
Error: Unexpected end of GIF file

** Status report
1 file(s) have been processed.
1 error(s) have been encountered.
$
Comment 4 Petr Gajdos 2023-11-13 12:47:47 UTC 
Submitted for: TW,b15sp6,b15sp5,b15sp4,b15sp3/optipng.

I believe all fixed.
Comment 5 OBSbugzilla Bot 2023-11-13 13:25:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1215937) was mentioned in
https://build.opensuse.org/request/show/1125547 Factory / optipng
https://build.opensuse.org/request/show/1125568 Backports:SLE-15-SP6 / optipng
https://build.opensuse.org/request/show/1125569 Backports:SLE-15-SP5 / optipng
https://build.opensuse.org/request/show/1125570 Backports:SLE-15-SP4 / optipng
https://build.opensuse.org/request/show/1125571 Backports:SLE-15-SP3 / optipng
Comment 6 Marcus Meissner 2023-11-16 15:33:05 UTC 
The bacport submissions are not really working with the factory version:

openSUSE_Backports_SLE-15-SP5_Update ppc64le    unresolvable: 
      nothing provides libpng-devel >= 1.6.35
      (got version 1.6.34 provided by libpng16-compat-devel)
      (got version 1.2.57 provided by libpng12-compat-devel)


they need to be relaxed I guess.
Comment 7 Petr Gajdos 2023-11-28 10:45:08 UTC 
Ah, apologize.

I will look whether this requirement is hard or not Do we have still the possibility to release the patch instead of version update?
Comment 8 Marcus Meissner 2023-11-28 10:54:46 UTC 
we can do a version update, but the strict version requires would need to be relaxed.

I think they just are there to ensure we have applied security fixes to these libraries, which we did.
Comment 9 Petr Gajdos 2023-11-29 10:49:55 UTC 
There are sr#1129768 and sr#1129766 for 15sp4 and 15sp5 backports respectively.

Not sure whether sr#1129764 should be done differently.

Do not know what to do with 15sp3 backports, it does not branch with mbranch anymore. What do you think?
Comment 10 Marcus Meissner 2023-11-29 10:50:29 UTC 
15 sp3 backports is EOL.
Comment 11 Petr Gajdos 2023-11-29 10:54:37 UTC 
I thought so, just that my wrong request was accepted:
https://build.opensuse.org/request/show/1125571
but it does not seem to have any effect.

Thanks, if anything else, let me know.
Comment 12 Petr Gajdos 2023-11-29 11:09:20 UTC 
New attempts: sr#1129775, sr#1129777, sr#1129778.
Comment 13 OBSbugzilla Bot 2023-11-29 11:45:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1215937) was mentioned in
https://build.opensuse.org/request/show/1129775 Backports:SLE-15-SP4 / optipng
https://build.opensuse.org/request/show/1129777 Backports:SLE-15-SP5 / optipng
https://build.opensuse.org/request/show/1129778 Backports:SLE-15-SP6 / optipng
Comment 14 Marcus Meissner 2023-11-29 20:04:58 UTC 
openSUSE-SU-2023:0383-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1215937
CVE References: CVE-2023-43907
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    optipng-0.7.8-bp155.5.5.1
Comment 15 Petr Gajdos 2023-11-30 10:33:45 UTC 
Requests were accepted, I believe all fixed.
Comment 16 Marcus Meissner 2023-12-02 20:04:52 UTC 
openSUSE-SU-2023:0388-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1215937
CVE References: CVE-2023-43907
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    optipng-0.7.8-bp154.3.5.1