Bug 23238

Assigning to all packagers collectively, since there is no registered maintainer for this package, CC'ing two committers.

CC: (none) => joequant, marja11, nicolas.salguero
Assignee: bugsquad => pkg-bugs

SUSE has issued an advisory on June 27:
http://lists.suse.com/pipermail/sle-security-updates/2018-June/004223.html

The SUSE bug for CVE-2018-1152 has a link to the upstream commit that fixed it:
https://bugzilla.suse.com/show_bug.cgi?id=1098155

Summary: libjpeg new security issue CVE-2018-11813 => libjpeg new security issues CVE-2018-1152 and CVE-2018-11813

Fedora has issued an advisory for this on July 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHRJSPZHPTSJWFXG5YW7OD4MM4WAPXFF/

Patched package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated libjpeg package fixes security vulnerabilities:

It was found that libjpeg is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image (CVE-2018-1152).

It was found that libjpeg had a defect where, due to a mishandled EOF, a specially crafted malformed input file (specifically a file with a valid Targa header but incomplete pixel data) would cause cjpeg to generate a file that was potentially thousands of times larger than the input file (CVE-2018-11813).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1152
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3CDV3ULRXQEMV7OHCB5MSITEIVOI5EPN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHRJSPZHPTSJWFXG5YW7OD4MM4WAPXFF/
========================

Updated packages in core/updates_testing:
========================
jpeg-progs-1.5.1-1.2.mga6
lib64jpeg62-1.5.1-1.2.mga6
lib64jpeg8-1.5.1-1.2.mga6
lib64jpeg-devel-1.5.1-1.2.mga6
lib64jpeg-static-devel-1.5.1-1.2.mga6
lib64turbojpeg0-1.5.1-1.2.mga6

from libjpeg-1.5.1-1.2.mga6.src.rpm


Testing procedures.
https://bugs.mageia.org/show_bug.cgi?id=6928#c6
https://bugs.mageia.org/show_bug.cgi?id=21974#c6

Whiteboard: MGA6TOO => (none)
Keywords: (none) => has_procedure
CC: (none) => mrambo
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
At CLI:
$ djpeg -verbose -bmp 34815267.jpg > 34815267.bmp
libjpeg-turbo version 1.5.1 (build 20180725)
Copyright (C) 2009-2016 D. R. Commander
Copyright (C) 2011-2016 Siarhei Siamashka
Copyright (C) 2015-2016 Matthieu Darbois
Copyright (C) 2015 Google, Inc.
Copyright (C) 2013-2014 MIPS Technologies, Inc.
Copyright (C) 2013 Linaro Limited
Copyright (C) 2009-2011 Nokia Corporation and/or its subsidiary(-ies)
Copyright (C) 2009 Pierre Ossman for Cendio AB
Copyright (C) 1999-2006 MIYASAKA Masaru
Copyright (C) 1991-2016 Thomas G. Lane, Guido Vollbeding

Emulating The Independent JPEG Group's software, version 8d  15-Jan-2012

Start of Image
JFIF APP0 marker: version 1.01, density 72x72  1
Miscellaneous marker 0xe2, length 1318
Define Quantization Table 0  precision 0
Define Quantization Table 1  precision 0
Start Of Frame 0xc0: width=500, height=375, components=3
    Component 1: 1hx1v q=0
    Component 2: 1hx1v q=1
    Component 3: 1hx1v q=1
Define Huffman Table 0x00
Define Huffman Table 0x10
Define Huffman Table 0x01
Define Huffman Table 0x11
Start Of Scan: 3 components
    Component 1: dc=0 ac=0
    Component 2: dc=1 ac=1
    Component 3: dc=1 ac=1
  Ss=0, Se=63, Ah=0, Al=0
End Of Image
$ display 34815267.bmp
display is OK
$ cjpeg -grayscale -verbose 34815267.bmp > gray1.jpg
libjpeg-turbo version 1.5.1 (build 20180725)
Copyright (C) 2009-2016 D. R. Commander
Copyright (C) 2011-2016 Siarhei Siamashka
Copyright (C) 2015-2016 Matthieu Darbois
Copyright (C) 2015 Google, Inc.
Copyright (C) 2013-2014 MIPS Technologies, Inc.
Copyright (C) 2013 Linaro Limited
Copyright (C) 2009-2011 Nokia Corporation and/or its subsidiary(-ies)
Copyright (C) 2009 Pierre Ossman for Cendio AB
Copyright (C) 1999-2006 MIYASAKA Masaru
Copyright (C) 1991-2016 Thomas G. Lane, Guido Vollbeding

Emulating The Independent JPEG Group's software, version 8d  15-Jan-2012

500x375 24-bit BMP image
$ display gray1.jpg 
display is OK
$ jpegtran -rotate 90 gray1.jpg > gray2.jpg
$ display gray2.jpg 
display is OK
files look OK in preview in caja as well
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Mageia 6, x86_64

Checked the CVEs before updating.
CVE-2018-11813
Report @ https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9c
PoC file from this link - click on it then download the file: https://github.com/ChijinZ/security_advisories/blob/master/libjpeg-v9c/large_loop

$ perf record cjpeg large_loop > out
[ perf record: Woken up 384 times to write data ]
[ perf record: Captured and wrote 96.730 MB perf.data (2535050 samples) ]

This goes into a spin, 100% on one core, for a very long time, creating a 21MB file from a 6KB input.  The perf.data file is even larger, 101MB.

CVE-2018-1152
Denial of Service in libturbojpeg.
No test found.

Updated from testing; ran the available PoC.
$ perf record cjpeg large_loop > out
Premature end of input file
[ perf record: Woken up 1 times to write data ]
[ perf record: Captured and wrote 0.023 MB perf.data (7 samples) ]

This returned immediately with an empty out file.

strace showed that GraphicsMagick employs lib64jpeg at some stage in JPEG conversions.  Ran similar tests to those already reported by other users.

$ djpeg -verbose sunset.jpg > sunset.bmp
libjpeg-turbo version 1.5.1 (build 20180725)
Copyright (C) 2009-2016 D. R. Commander
[...]
Emulating The Independent JPEG Group's software, version 8d  15-Jan-2012
Start of Image
JFIF APP0 marker: version 1.01, density 72x72  1
Comment, length 16:
Adobe ImageReady
Define Quantization Table 0  precision 0
Define Quantization Table 1  precision 0
Start Of Frame 0xc2: width=1600, height=1066, components=3
    Component 1: 1hx1v q=0
    Component 2: 1hx1v q=1
    Component 3: 1hx1v q=1
Define Huffman Table 0x00
[...]

$ gm display sunset.bmp
$ gwenview sunset.bmp
QImageReader::read() using format hint "bmp" failed: "Unknown error"
A bad Qt image decoder moved the buffer to 14 in a call to canRead()! Rewinding.
Image format is actually "ppm" not "bmp"
<gwenview did display the image>

Taking note of herman's modification:
$ djpeg -verbose -bmp sunset.jpg > sunset_1.bmp
gwenview can now display the image without quibbling.
This also works:
$ djpeg sunset.jpg > sunset.pgm
$ ll sunset*
-rw-r--r-- 1 lcl lcl 5116854 Jul 28 19:15 sunset_1.bmp
-rw-r--r-- 1 lcl lcl 5116817 Jul 28 19:10 sunset.bmp
-rw-r--r-- 1 lcl lcl 1287911 Mar 14 22:01 sunset.jpg
-rw-r--r-- 1 lcl lcl 5116817 Jul 28 19:19 sunset.pgm

$ cjpeg -grayscale -verbose sunset.bmp > sunset_grey.jpg
libjpeg-turbo version 1.5.1 (build 20180725)
Copyright (C) 2009-2016 D. R. Commander
[...]
Emulating The Independent JPEG Group's software, version 8d  15-Jan-2012
1600x1066 PPM image

Greyscale image as expected.

$ jpegtran -rotate 180 sunset_1.jpg > sunset_flip.jpg
$ gm display sunset_flip.jpg
Upside down, as required.

OK for 64-bits as well.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => tarazed25

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0327.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED