Date: Thu, 21 Mar 2013 16:33:30 GMT From: Alexander Milanov <a@amilanov.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/177206: [patch] graphics/optipng: update to 0.7.4 and fix CVE-2012-4432 Message-ID: <201303211633.r2LGXULZ036876@red.freebsd.org> Resent-Message-ID: <201303211640.r2LGe3gG018099@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 177206
>Category: ports
>Synopsis: [patch] graphics/optipng: update to 0.7.4 and fix CVE-2012-4432
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Mar 21 16:40:02 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Alexander Milanov
>Release: 9.1-RELEASE
>Organization:
>Environment:
FreeBSD t1 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243826: Tue Dec 4 06:55:39 UTC 2012 root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
A use-after-free vulnerability in the palette reduction code has been discovered in the versions 0.7, 0.7.1 and 0.7.2.
>How-To-Repeat:
>Fix:
- Update to 0.7.4
- Add VuXML entry
- Trim header
- Add LICENSE
Patch attached with submission follows:
Index: graphics/optipng/Makefile
===================================================================
--- graphics/optipng/Makefile (revision 314842)
+++ graphics/optipng/Makefile (working copy)
@@ -1,18 +1,17 @@
-# New ports collection makefile for: optipng
-# Date created: 09 July 2003
-# Whom: Thomas Hurst <freaky@aagh.net>
-#
+# Created by: Thomas Hurst <freaky@aagh.net>
# $FreeBSD$
-#
PORTNAME= optipng
-PORTVERSION= 0.7.1
+PORTVERSION= 0.7.4
CATEGORIES= graphics
MASTER_SITES= SF/${PORTNAME}/OptiPNG/${PORTNAME}-${PORTVERSION}
MAINTAINER= tom@hur.st
COMMENT= An optimizer for PNG files
+LICENSE= ZLIB
+LICENSE_FILE= ${WRKSRC}/LICENSE.txt
+
OPTIONS_DEFINE= BUNDLED_LIBPNG BUNDLED_ZLIB
BUNDLED_LIBPNG_DESC= Use bundled libpng
Index: graphics/optipng/distinfo
===================================================================
--- graphics/optipng/distinfo (revision 314842)
+++ graphics/optipng/distinfo (working copy)
@@ -1,2 +1,2 @@
-SHA256 (optipng-0.7.1.tar.gz) = 6d28cd194729f6c806df24cb604355f27c4badd4457fffcbeeca23d9b6106b76
-SIZE (optipng-0.7.1.tar.gz) = 1608280
+SHA256 (optipng-0.7.4.tar.gz) = 520b5d5a9405dbdc5c905dd0cff87211e69c4ed2059744037510e613fe8237ff
+SIZE (optipng-0.7.4.tar.gz) = 1613916
Index: security/vuxml/vuln.xml
===================================================================
--- security/vuxml/vuln.xml (revision 314842)
+++ security/vuxml/vuln.xml (working copy)
@@ -51,6 +51,38 @@
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+ <vuln vid="a8818f7f-9182-11e2-9bdf-d48564727302">
+ <topic>optipng -- use-after-free vulnerability</topic>
+ <affects>
+ <package>
+ <name>optipng</name>
+ <range><ge>0.7</ge><lt>0.7.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">;
+ <p>Secunia reports:</p>
+ <blockquote cite="https://secunia.com/advisories/50654">;
+ <p>A vulnerability has been reported in OptiPNG, which can be
+ exploited by malicious people to potentially compromise a user's
+ system.</p>
+ <p>The vulnerability is caused due to a use-after-free error related
+ to the palette reduction functionality. No further information is
+ currently available.</p>
+ <p>Success exploitation may allow execution of arbitrary code.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2012-4432</cvename>
+ <url>https://secunia.com/advisories/50654</url>;
+ </references>
+ <dates>
+ <discovery>2012-09-16</discovery>
+ <entry>2013-03-21</entry>
+ </dates>
+ </vuln>
+
<vuln vid="1d23109a-9005-11e2-9602-d43d7e0c7c02">
<topic>php5 -- Multiple vulnerabilities</topic>
<affects>
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201303211633.r2LGXULZ036876>