Bug 11658 - libjpeg-turbo new security issues CVE-2013-6629 and CVE-2013-6630
: libjpeg-turbo new security issues CVE-2013-6629 and CVE-2013-6630
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
:
: MGA2TOO has_procedure advisory mga2-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-12 19:39 CET by David Walser
Modified: 2013-11-20 22:00 CET (History)
3 users (show)

See Also:
Source RPM: libjpeg-1.3.0-2.mga4.src.rpm
CVE:


Attachments

Description David Walser 2013-11-12 19:39:37 CET
The latest Chromium browser update announcement [1] lists two read of uninitialized memory security issues that they have fixed in libjpeg-turbo.  Specific details about these vulnerabilities were made available today on the full-disclosure mailing list [2], including PoCs.

[1] http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html
[2] http://permalink.gmane.org/gmane.comp.security.full-disclosure/90919

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-12 20:20:17 CET
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

For those interested, the one patch has two hunks, the first of which fixes CVE-2013-6629 and the second of which fixes CVE-2013-6630.

Note to QA, see the full-disclosure list reference for PoC information.

Advisory:
========================

Updated libjpeg packages fix security vulnerabilities:

libjpeg 6b and libjpeg-turbo will use uninitialized memory when decoding
images with missing SOS data for the luminance component (Y) in presence of
valid chroma data (Cr, Cb) (CVE-2013-6629).

libjpeg-turbo will use uninitialized memory when handling Huffman tables
(CVE-2013-6630).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6630
http://permalink.gmane.org/gmane.comp.security.full-disclosure/90919
http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html
========================

Updated packages in core/updates_testing:
========================
libjpeg8-1.2.0-4.2.mga2
libjpeg62-1.2.0-4.2.mga2
libjpeg-devel-1.2.0-4.2.mga2
libjpeg-static-devel-1.2.0-4.2.mga2
jpeg-progs-1.2.0-4.2.mga2
libjpeg8-1.2.1-4.1.mga3
libjpeg62-1.2.1-4.1.mga3
libturbojpeg-1.2.1-4.1.mga3
libjpeg-devel-1.2.1-4.1.mga3
libjpeg-static-devel-1.2.1-4.1.mga3
jpeg-progs-1.2.1-4.1.mga3

from SRPMS:
libjpeg-1.2.0-4.2.mga2.src.rpm
libjpeg-1.2.1-4.1.mga3.src.rpm
Comment 2 Oden Eriksson 2013-11-19 10:16:45 CET
======================================================
Name: CVE-2013-6629
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20131105
Category: 
Reference: FULLDISC:20131112 bugs in IJG jpeg6b & libjpeg-turbo
Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2013-11/0080.html
Reference: CONFIRM:http://bugs.ghostscript.com/show_bug.cgi?id=686980
Reference: CONFIRM:http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html
Reference: CONFIRM:https://code.google.com/p/chromium/issues/detail?id=258723
Reference: CONFIRM:https://src.chromium.org/viewvc/chrome?revision=229729&view=revision

The get_sos function in jdmarker.c in (1) libjpeg 6b and (2)
libjpeg-turbo through 1.3.0, as used in Google Chrome before
31.0.1650.48, Ghostscript, and other products, does not check for
certain duplications of component data during the reading of segments
that follow Start Of Scan (SOS) JPEG markers, which allows remote
attackers to obtain sensitive information from uninitialized memory
locations via a crafted JPEG image.



======================================================
Name: CVE-2013-6630
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6630
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20131105
Category: 
Reference: FULLDISC:20131112 bugs in IJG jpeg6b & libjpeg-turbo
Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2013-11/0080.html
Reference: CONFIRM:http://git.chromium.org/gitweb/?p=chromium/deps/libjpeg_turbo.git;a=commit;h=32cab49bd4cb1ce069a435fd75f9439c34ddc6f8
Reference: CONFIRM:http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html
Reference: CONFIRM:https://code.google.com/p/chromium/issues/detail?id=299835

The get_dht function in jdmarker.c in libjpeg-turbo through 1.3.0, as
used in Google Chrome before 31.0.1650.48 and other products, does not
set all elements of a certain Huffman value array during the reading
of segments that follow Define Huffman Table (DHT) JPEG markers, which
allows remote attackers to obtain sensitive information from
uninitialized memory locations via a crafted JPEG image.
Comment 4 claire robinson 2013-11-19 10:36:49 CET
Simple procedure: http://lcamtuf.coredump.cx/jpeg_leak/
Comment 5 claire robinson 2013-11-19 11:35:01 CET
Advisory from comment 1 uploaded. Please remove 'advisory' whiteboard tag is anything changes.
Comment 6 claire robinson 2013-11-19 15:28:53 CET
Testing complete mga2 32

Before: Bits of kitty

After: No bits of kitty
Comment 7 claire robinson 2013-11-19 15:34:42 CET
Testing complete mga2 64
Comment 8 claire robinson 2013-11-19 15:54:47 CET
Testing complete mga3 32 & 64

Validating.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 9 Thomas Backlund 2013-11-20 22:00:04 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0333.html

Note You need to log in before you can comment on or make changes to this bug.