Bugzilla – Bug 1215937
VUL-0: CVE-2023-43907: optipng: global buffer overflow via the 'buffer' variable at gifread.c
Last modified: 2023-12-02 20:04:52 UTC
OptiPNG v0.7.7 was discovered to contain a global buffer overflow via the 'buffer' variable at gifread.c. References: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/optipng-global-buffer-overflow1/optipng-global-buffer-overflow1.md http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43907
Tracking as affected: - openSUSE:Backports:SLE-15-SP4/optipng - openSUSE:Backports:SLE-15-SP5/optipng - openSUSE:Factory/optipng
https://sourceforge.net/p/optipng/bugs/87/ no reaction from upstream sofar
I cannot reproduce the bug with asan: :/215937 # ldd /usr/bin/optipng | grep asan libasan.so.8 => /lib64/libasan.so.8 (0x00007f432c800000) :/215937 # optipng -o4 POCoptipng -zm 3 -zc 1 -zw 256 -snip -out optipngtest.png ** Processing: POCoptipng Warning: Bogus data in GIF file Error: Unexpected end of GIF file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. :/215937 # nor valgrind: $ valgrind -q optipng -o4 POCoptipng -zm 3 -zc 1 -zw 256 -snip -out optipngtest.png ** Processing: POCoptipng Warning: Bogus data in GIF file Error: Unexpected end of GIF file ** Status report 1 file(s) have been processed. 1 error(s) have been encountered. $
Submitted for: TW,b15sp6,b15sp5,b15sp4,b15sp3/optipng. I believe all fixed.
This is an autogenerated message for OBS integration: This bug (1215937) was mentioned in https://build.opensuse.org/request/show/1125547 Factory / optipng https://build.opensuse.org/request/show/1125568 Backports:SLE-15-SP6 / optipng https://build.opensuse.org/request/show/1125569 Backports:SLE-15-SP5 / optipng https://build.opensuse.org/request/show/1125570 Backports:SLE-15-SP4 / optipng https://build.opensuse.org/request/show/1125571 Backports:SLE-15-SP3 / optipng
The bacport submissions are not really working with the factory version: openSUSE_Backports_SLE-15-SP5_Update ppc64le unresolvable: nothing provides libpng-devel >= 1.6.35 (got version 1.6.34 provided by libpng16-compat-devel) (got version 1.2.57 provided by libpng12-compat-devel) they need to be relaxed I guess.
Ah, apologize. I will look whether this requirement is hard or not Do we have still the possibility to release the patch instead of version update?
we can do a version update, but the strict version requires would need to be relaxed. I think they just are there to ensure we have applied security fixes to these libraries, which we did.
There are sr#1129768 and sr#1129766 for 15sp4 and 15sp5 backports respectively. Not sure whether sr#1129764 should be done differently. Do not know what to do with 15sp3 backports, it does not branch with mbranch anymore. What do you think?
15 sp3 backports is EOL.
I thought so, just that my wrong request was accepted: https://build.opensuse.org/request/show/1125571 but it does not seem to have any effect. Thanks, if anything else, let me know.
New attempts: sr#1129775, sr#1129777, sr#1129778.
This is an autogenerated message for OBS integration: This bug (1215937) was mentioned in https://build.opensuse.org/request/show/1129775 Backports:SLE-15-SP4 / optipng https://build.opensuse.org/request/show/1129777 Backports:SLE-15-SP5 / optipng https://build.opensuse.org/request/show/1129778 Backports:SLE-15-SP6 / optipng
openSUSE-SU-2023:0383-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1215937 CVE References: CVE-2023-43907 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): optipng-0.7.8-bp155.5.5.1
Requests were accepted, I believe all fixed.
openSUSE-SU-2023:0388-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1215937 CVE References: CVE-2023-43907 JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): optipng-0.7.8-bp154.3.5.1