| Summary: | libjpeg-turbo new security issues CVE-2013-6629 and CVE-2013-6630 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | oe, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| Whiteboard: | MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok | ||
| Source RPM: | libjpeg-1.3.0-2.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-11-12 19:39:37 CET
David Walser
2013-11-12 19:39:43 CET
Whiteboard:
(none) =>
MGA3TOO, MGA2TOO Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron. For those interested, the one patch has two hunks, the first of which fixes CVE-2013-6629 and the second of which fixes CVE-2013-6630. Note to QA, see the full-disclosure list reference for PoC information. Advisory: ======================== Updated libjpeg packages fix security vulnerabilities: libjpeg 6b and libjpeg-turbo will use uninitialized memory when decoding images with missing SOS data for the luminance component (Y) in presence of valid chroma data (Cr, Cb) (CVE-2013-6629). libjpeg-turbo will use uninitialized memory when handling Huffman tables (CVE-2013-6630). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6630 http://permalink.gmane.org/gmane.comp.security.full-disclosure/90919 http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html ======================== Updated packages in core/updates_testing: ======================== libjpeg8-1.2.0-4.2.mga2 libjpeg62-1.2.0-4.2.mga2 libjpeg-devel-1.2.0-4.2.mga2 libjpeg-static-devel-1.2.0-4.2.mga2 jpeg-progs-1.2.0-4.2.mga2 libjpeg8-1.2.1-4.1.mga3 libjpeg62-1.2.1-4.1.mga3 libturbojpeg-1.2.1-4.1.mga3 libjpeg-devel-1.2.1-4.1.mga3 libjpeg-static-devel-1.2.1-4.1.mga3 jpeg-progs-1.2.1-4.1.mga3 from SRPMS: libjpeg-1.2.0-4.2.mga2.src.rpm libjpeg-1.2.1-4.1.mga3.src.rpm Version:
Cauldron =>
3 ====================================================== Name: CVE-2013-6629 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131105 Category: Reference: FULLDISC:20131112 bugs in IJG jpeg6b & libjpeg-turbo Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2013-11/0080.html Reference: CONFIRM:http://bugs.ghostscript.com/show_bug.cgi?id=686980 Reference: CONFIRM:http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html Reference: CONFIRM:https://code.google.com/p/chromium/issues/detail?id=258723 Reference: CONFIRM:https://src.chromium.org/viewvc/chrome?revision=229729&view=revision The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image. ====================================================== Name: CVE-2013-6630 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6630 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131105 Category: Reference: FULLDISC:20131112 bugs in IJG jpeg6b & libjpeg-turbo Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2013-11/0080.html Reference: CONFIRM:http://git.chromium.org/gitweb/?p=chromium/deps/libjpeg_turbo.git;a=commit;h=32cab49bd4cb1ce069a435fd75f9439c34ddc6f8 Reference: CONFIRM:http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html Reference: CONFIRM:https://code.google.com/p/chromium/issues/detail?id=299835 The get_dht function in jdmarker.c in libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48 and other products, does not set all elements of a certain Huffman value array during the reading of segments that follow Define Huffman Table (DHT) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image. CC:
(none) =>
oe CVE-2013-6629: https://bugzilla.redhat.com/show_bug.cgi?id=1031734 CVE-2013-6630: https://bugzilla.redhat.com/show_bug.cgi?id=1031749 Simple procedure: http://lcamtuf.coredump.cx/jpeg_leak/ Whiteboard:
MGA2TOO =>
MGA2TOO has_procedure Advisory from comment 1 uploaded. Please remove 'advisory' whiteboard tag is anything changes. Whiteboard:
MGA2TOO has_procedure =>
MGA2TOO has_procedure advisory Testing complete mga2 32 Before: Bits of kitty After: No bits of kitty Testing complete mga2 64 Whiteboard:
MGA2TOO has_procedure advisory =>
MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok Testing complete mga3 32 & 64 Validating. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks! Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2013-0333.html Status:
NEW =>
RESOLVED |