The latest Chromium browser update announcement [1] lists two read of uninitialized memory security issues that they have fixed in libjpeg-turbo. Specific details about these vulnerabilities were made available today on the full-disclosure mailing list [2], including PoCs. [1] http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html [2] http://permalink.gmane.org/gmane.comp.security.full-disclosure/90919 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron. For those interested, the one patch has two hunks, the first of which fixes CVE-2013-6629 and the second of which fixes CVE-2013-6630. Note to QA, see the full-disclosure list reference for PoC information. Advisory: ======================== Updated libjpeg packages fix security vulnerabilities: libjpeg 6b and libjpeg-turbo will use uninitialized memory when decoding images with missing SOS data for the luminance component (Y) in presence of valid chroma data (Cr, Cb) (CVE-2013-6629). libjpeg-turbo will use uninitialized memory when handling Huffman tables (CVE-2013-6630). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6630 http://permalink.gmane.org/gmane.comp.security.full-disclosure/90919 http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html ======================== Updated packages in core/updates_testing: ======================== libjpeg8-1.2.0-4.2.mga2 libjpeg62-1.2.0-4.2.mga2 libjpeg-devel-1.2.0-4.2.mga2 libjpeg-static-devel-1.2.0-4.2.mga2 jpeg-progs-1.2.0-4.2.mga2 libjpeg8-1.2.1-4.1.mga3 libjpeg62-1.2.1-4.1.mga3 libturbojpeg-1.2.1-4.1.mga3 libjpeg-devel-1.2.1-4.1.mga3 libjpeg-static-devel-1.2.1-4.1.mga3 jpeg-progs-1.2.1-4.1.mga3 from SRPMS: libjpeg-1.2.0-4.2.mga2.src.rpm libjpeg-1.2.1-4.1.mga3.src.rpm
Version: Cauldron => 3Assignee: bugsquad => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOOSeverity: normal => major
====================================================== Name: CVE-2013-6629 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131105 Category: Reference: FULLDISC:20131112 bugs in IJG jpeg6b & libjpeg-turbo Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2013-11/0080.html Reference: CONFIRM:http://bugs.ghostscript.com/show_bug.cgi?id=686980 Reference: CONFIRM:http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html Reference: CONFIRM:https://code.google.com/p/chromium/issues/detail?id=258723 Reference: CONFIRM:https://src.chromium.org/viewvc/chrome?revision=229729&view=revision The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image. ====================================================== Name: CVE-2013-6630 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6630 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131105 Category: Reference: FULLDISC:20131112 bugs in IJG jpeg6b & libjpeg-turbo Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2013-11/0080.html Reference: CONFIRM:http://git.chromium.org/gitweb/?p=chromium/deps/libjpeg_turbo.git;a=commit;h=32cab49bd4cb1ce069a435fd75f9439c34ddc6f8 Reference: CONFIRM:http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html Reference: CONFIRM:https://code.google.com/p/chromium/issues/detail?id=299835 The get_dht function in jdmarker.c in libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48 and other products, does not set all elements of a certain Huffman value array during the reading of segments that follow Define Huffman Table (DHT) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.
CC: (none) => oe
CVE-2013-6629: https://bugzilla.redhat.com/show_bug.cgi?id=1031734 CVE-2013-6630: https://bugzilla.redhat.com/show_bug.cgi?id=1031749
Simple procedure: http://lcamtuf.coredump.cx/jpeg_leak/
Whiteboard: MGA2TOO => MGA2TOO has_procedure
Advisory from comment 1 uploaded. Please remove 'advisory' whiteboard tag is anything changes.
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure advisory
Testing complete mga2 32 Before: Bits of kitty After: No bits of kitty
Testing complete mga2 64
Whiteboard: MGA2TOO has_procedure advisory => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok
Testing complete mga3 32 & 64 Validating. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0333.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED