Bug 2242138 (CVE-2023-43907)

Summary: CVE-2023-43907 optipng: global buffer overflow via the 'buffer' variable at gifread.c.
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability has been identified in OptiPNG related to its handling of GIF file processing. The issue arises from a global buffer overflow occurring in the 'buffer' variable within the gifread.c component. This vulnerability can potentially be exploited by malicious actors to crash the OptiPNG program by manipulating specially crafted GIF files during processing.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2242460, 2242461    
Bug Blocks: 2242137    

Description Patrick Del Bello 2023-10-04 15:33:09 UTC 
OptiPNG v0.7.7 was discovered to contain a global buffer overflow via the 'buffer' variable at gifread.c.

http://optipng.sourceforge.net/
https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/optipng-global-buffer-overflow1/optipng-global-buffer-overflow1.md
https://sourceforge.net/projects/optipng/files/OptiPNG/optipng-0.7.7/optipng-0.7.7.tar.gz/download?use_mirror=udomain&download=
Comment 2 Sandipan Roy 2023-10-06 09:53:32 UTC 
Created optipng tracking bugs for this issue:

Affects: epel-all [bug 2242460]
Affects: fedora-all [bug 2242461]