Bug 31764

Summary: jpegoptim new security issue CVE-2023-27781
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, dan, davidwhodgins, herman.viaene, marja11, sysadmin-bugs
Version: 8Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: jpegoptim-1.5.1-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-04-05 03:12:13 CEST 
Fedora has issued an advisory today (April 4):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/66ZW65INCWSQYIT5E6N6I6PE5D7R6EK7/

The issue is fixed upstream in 1.5.3.

Mageia 8 is also affected.
David Walser 2023-04-05 03:12:33 CEST

Status comment: (none) => Fixed upstream in 1.5.3
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2023-04-05 17:50:01 CEST 
Assigning to our registered jpegoptim maintainer

CC: (none) => marja11
Assignee: bugsquad => dan

Comment 2 Dan Fandrich 2023-04-07 08:33:30 CEST 
jpegoptim-1.5.3-1.mga9 is available in updates_testing in Cauldron with an outstanding move request to mga9.

jpegoptim-1.5.1-1.1.mga8 is available in updates_testing in mga8.

Generic regression test procedure:

1. cp /usr/share/doc/HTML/en/common/top-kde.jpg /tmp   # or another suitable JPEG file
2. jpegoptim -tv /tmp/top-kde.jpg
3. display /tmp/top-kde.jpg  # or another image viewing program

The result should be no error messages shown and a visible image that matches the original.

Security fix test procedure:

1. sudo urpmi curl valgrind
2. curl -RLo /tmp/poc.jpg https://github.com/blu3sh0rk/Fuzzing-crash/raw/main/jpegoptim/stdout-heapoverflow
3. valgrind jpegoptim --stdout /tmp/poc.jpg >/tmp/out

valgrind will show "Invalid read" and "write(buf) points to uninitialised byte(s)" errors on a vulnerable jpegoptim (e.g. 
jpegoptim-1.5.1-1.mga8) and no errors on a fixed jpegoptim (e.g. jpegoptim-1.5.1-1.1.mga8).

Whiteboard: MGA8TOO => MGA8TOO has_procedure
CC: (none) => dan
Assignee: dan => qa-bugs

Comment 3 Dan Fandrich 2023-04-07 08:41:28 CEST 
Suggested advisory:
========================

Updated jpegoptim packages fix a security vulnerability.

A heap-buffer-overflow can occur when processing a corrupted JPEG image file.

References:
https://bugs.mageia.org/show_bug.cgi?id=31764
https://github.com/tjko/jpegoptim/issues/132
https://nvd.nist.gov/vuln/detail/CVE-2023-27781
========================

Updated packages in core/updates_testing:
========================
jpegoptim-1.5.1-1.1.mga8

Source RPMs:
jpegoptim-1.5.1-1.1.mga8.src.rpm
David Walser 2023-04-07 13:44:57 CEST

Status comment: Fixed upstream in 1.5.3 => (none)
Whiteboard: MGA8TOO has_procedure => (none)
Version: Cauldron => 8
Keywords: (none) => has_procedure

Comment 4 Dan Fandrich 2023-04-11 00:12:57 CEST 
David, I noticed you moved has_procedure from Whiteboard to Keywords. Does that mean https://wiki.mageia.org/en/QA_whiteboard_keywords needs to be changed?
Comment 5 David Walser 2023-04-11 00:30:17 CEST 
Yes, thank you for catching that.
Comment 6 Herman Viaene 2023-04-13 15:51:07 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Following lead above.
$ cd Pictures/19761105TrouwLodeNoella/
$ cp D053.jpg /tmp
$ jpegoptim -tv /tmp/D053.jpg 
Using maximum of 1 parallel threads
/tmp/D053.jpg 1656x988 24bit N JFIF  [OK] 125813 --> 116929 bytes (7.06%), optimized.
Average compression (1 files): 7.06% (total saved 9k)
Checked file sizes: original 125kb, optimized 116kb
$ display /tmp/D053.jpg 
$ display D053.jpg 
Both files display OK, no visible differences.
Good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2023-04-13 16:27:18 CEST 
Validating. Advisory in comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-04-15 18:25:51 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2023-04-15 21:05:29 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0143.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED