Bug 6928

Mandriva has also issued an advisory for this:
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:121

There are several different versions here, so several libs to test.

Mageia 1
--------
For lib(64)jpeg6 use some of the utilities from the jpeg6-progs package.

To get a list of those use:
$ urpmf jpeg6-progs | grep bin

For lib(64)jpeg8:
You can use any/many of the programs you find with:
$ urpmq --whatrequires lib64jpeg8

Check they seem to work OK with jpegs, you can also show it is using the library with strace by for example, using graphicsmagick to display a jpeg image..

$ strace -o strace.out gm display thumbnail.jpg 
$ grep jpeg strace.out

You should see a line like this..

open("/usr/lib64/libjpeg.so.8", O_RDONLY) = 4

Also there is a jpeg-progs package which appears to use this lib so use urpmf to find the executables for that as before, as an alternative.

Mageia 2
--------
jpeg-progs uses lib(64)jpeg8 so they can be used for testing that one, or any/many of the programs found with urpmq --whatrequires as for Mageia 1.

lib(64)jpeg62 is a difficult one as it's not required by anything. Unless there is a better way then just test it can be updated without any errors.

Hardware: i586 => All
Whiteboard: MGA1TOO => MGA1TOO has_procedure

Testing Mageia 1 32 complete.

--- libjpeg62 ---
After installing jpeg6-progs:

# convert bmp to jpeg, in grayscale
cjpeg -grayscale -verbose test.bmp > test.jpg
gm display test.jpg
# convert jpeg to bmp
djpeg -verbose test.jpg > test2.bmp
gm display test2.bmp
# rotate a jpeg
jpegtran -rotate 90 test.jpg > test2.jpg
gm display test2.jpg

--- libjpeg8 ---
[samuel@localhost Téléchargements]$ strace -o strace.out gm display test.JPG
[samuel@localhost Téléchargements]$ grep jpeg strace.out
access("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.la", R_OK) = 0
open("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.la", O_RDONLY|O_LARGEFILE) = 4
read(4, "# jpeg.la - a libtool library fi"..., 4096) = 1152
open("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.so", O_RDONLY) = 4
open("/usr/lib/libjpeg.so.8", O_RDONLY) = 4

and also, after installing jpeg-progs instead of jpeg6-progs

# convert bmp to jpeg, in grayscale
cjpeg -grayscale -verbose test.bmp > test.jpg
gm display test.jpg
# convert jpeg to bmp
djpeg -verbose test.jpg > test2.bmp
gm display test2.bmp
# rotate a jpeg
jpegtran -rotate 90 test.jpg > test2.jpg
gm display test2.jpg


and optionally, for some fun

check that xmoto works well

CC: (none) => stormi
Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure MGA1-32-OK

(In reply to comment #0)
> Updated libjpeg packages fix security vulnerability:
> [...]
> application using libpng to crash

@David Walser: libpng, really? :)

Testing complete on Mageia 2 32 using same steps as comment #3 for libjpeg8 (including xmoto :))

Whiteboard: MGA1TOO has_procedure MGA1-32-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK

Loaded jpeg-progs and GraphicsMagick

With gm :
# strace -o strace.out gm display /home/mornot/thumbnail.jpg

# grep jpeg strace.out
access("/usr/lib64/GraphicsMagick-1.3.13/modules-Q8/coders/jpeg.so", R_OK) = 0
open("/usr/lib64/GraphicsMagick-1.3.13/modules-Q8/coders/jpeg.so", O_RDONLY) = 4
open("/usr/lib64/libjpeg.so.8", O_RDONLY) = 4

With jpeg-progs
# djpeg -verbose thumbnail.jpg > thumbnail.bmp
libjpeg-turbo version 1.2.0 (build 20120801)
Copyright (C) 1991-2010 Thomas G. Lane, Guido Vollbeding
Copyright (C) 1999-2006 MIYASAKA Masaru
Copyright (C) 2009 Pierre Ossman for Cendio AB
Copyright (C) 2009-2012 D. R. Commander
Copyright (C) 2009-2011 Nokia Corporation and/or its subsidiary(-ies)

Emulating The Independent JPEG Group's libjpeg, version 8b  16-May-2010

Start of Image
JFIF APP0 marker: version 1.01, density 1x1  0
Define Quantization Table 0  precision 0
Define Quantization Table 1  precision 0
Start Of Frame 0xc0: width=244, height=207, components=3
    Component 1: 2hx2v q=0
    Component 2: 1hx1v q=1
    Component 3: 1hx1v q=1
Define Huffman Table 0x00
Define Huffman Table 0x10
Define Huffman Table 0x01
Define Huffman Table 0x11
Start Of Scan: 3 components
    Component 1: dc=0 ac=0
    Component 2: dc=1 ac=1
    Component 3: dc=1 ac=1
  Ss=0, Se=63, Ah=0, Al=0
End Of Image

# cjpeg -grayscale -verbose thumbnail.bmp > thumbnail2.jpg
libjpeg-turbo version 1.2.0 (build 20120801)
Copyright (C) 1991-2010 Thomas G. Lane, Guido Vollbeding
Copyright (C) 1999-2006 MIYASAKA Masaru
Copyright (C) 2009 Pierre Ossman for Cendio AB
Copyright (C) 2009-2012 D. R. Commander
Copyright (C) 2009-2011 Nokia Corporation and/or its subsidiary(-ies)

Emulating The Independent JPEG Group's libjpeg, version 8b  16-May-2010

244x207 PPM image

#gm display /home/mornot/thumbnail.bmp  (ok)

# jpegtran -rotate 90 thumbnail.jpg > thumbnail3.jpg
# gm display thumbnail3.jpg  (ok)

Xmoto.... it works !

CC: (none) => stblack
Whiteboard: MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK MGA2-64-OK

Testing Mageia 1 64 bits complete.

Updating my procedure to fix a naming error (bmp instead of pgm), resulting in gwenview being unable to read the test2.bmp file.


Testing Mageia 1 32 complete.

--- libjpeg62 ---
After installing jpeg6-progs:

# convert bmp to jpeg, in grayscale
cjpeg -grayscale -verbose test.bmp > test.jpg
gm display test.jpg
# convert jpeg to bmp
djpeg -verbose test.jpg > test2.pgm
gm display test2.pgm
# rotate a jpeg
jpegtran -rotate 90 test.jpg > test2.jpg
gm display test2.jpg

--- libjpeg8 ---
[samuel@localhost Téléchargements]$ strace -o strace.out gm display test.JPG
[samuel@localhost Téléchargements]$ grep jpeg strace.out
access("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.la", R_OK) = 0
open("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.la",
O_RDONLY|O_LARGEFILE) = 4
read(4, "# jpeg.la - a libtool library fi"..., 4096) = 1152
open("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.so", O_RDONLY) = 4
open("/usr/lib/libjpeg.so.8", O_RDONLY) = 4

and also, after installing jpeg-progs instead of jpeg6-progs

# convert bmp to jpeg, in grayscale
cjpeg -grayscale -verbose test.bmp > test.jpg
gm display test.jpg
# convert jpeg to bmp
djpeg -verbose test.jpg > test2.pgm
gm display test2.pgm
# rotate a jpeg
jpegtran -rotate 90 test.jpg > test2.jpg
gm display test2.jpg


and optionally, for some fun

check that xmoto works well

Whiteboard: MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK MGA2-64-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK MGA2-64-OK MGA1-64-OK

Update validated. No linking required.

See comment #0 for advisory and RPMS. Just replace "libpng" with "libjpeg" in the advisory, I guess.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Hehe, that's the way it was written in both Novell and RedHat's bugzilla.  I didn't even notice.

BTW, apparently Mozilla's Bugzilla has a reproducer.  From the discussion it sounds like the Mageia 1 versions may not have been vulnerable...
https://bugzilla.mozilla.org/show_bug.cgi?id=759802

Unvalidating (sorry!) until QA has a chance to check the reproducer(s) against the /release versions in Mageia 1.

Keywords: validated_update => (none)

On second thought, SuSE patched old versions too, and based on the mozilla bug discussion, the patch won't hurt anything even if it's not needed.  QA can still try the reproducers if they want, but this can be validated.

Validating then, if someone wants to try the reproducers, they are more than welcome though.

Keywords: (none) => validated_update

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0203

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED