A security issue in jbigkit has been announced today (April 8): http://openwall.com/lists/oss-security/2014/04/08/5 The issue is fixed upstream in 2.1 and a patch is available. Ideally we should upgrade to 2.1 to get all of the fixes, but someone who understands what the "shared" patch is trying to accomplish will need to re-diff that. It looks like Oden last worked on this, back in the Mandriva days. Even better would be if we could let Fedora do it and switch to their "shlib" patch, which is different, but I would guess accomplishes the same thing. They haven't updated to 2.1 yet. Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated jbigkit packages fix security vulnerability: Florian Weimer found a stack-based buffer overflow flaw in the libjbig library (part of jbigkit). A specially-crafted image file read by libjbig could be used to cause a program linked to libjbig to crash or, potentially, to execute arbitrary code (CVE-2013-6369). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6369 https://bugzilla.redhat.com/show_bug.cgi?id=1032273 ======================== Updated packages in core/updates_testing: ======================== jbigkit-2.0-6.1.mga3 libjbig1-2.0-6.1.mga3 libjbig-devel-2.0-6.1.mga3 jbigkit-2.0-7.1.mga4 libjbig1-2.0-7.1.mga4 libjbig-devel-2.0-7.1.mga4 from SRPMS: jbigkit-2.0-6.1.mga3.src.rpm jbigkit-2.0-7.1.mga4.src.rpm Reproducible: Steps to Reproduce:
CC: (none) => oeWhiteboard: (none) => MGA3TOO
Is there a simple way to test this David? Thanks
CC: (none) => wilcal.int
JBIG is a compression format used by some printer drivers and fax devices, and this vulnerability is in the JBIG decoder. We have some printer drivers that use it, libtiff uses it, and imagemagick uses it, so if you can find or generate a JBIG compressed image file and use something that uses this library to decode it, that would work. Check "urpmq --whatrequires libjbig1" for the exact list of packages that use it. I don't know of an actual PoC for this vulnerability.
If I was to use XVidCap to capture frames from a video off the net if that worked before and after the update would that be acceptable? Looks like XVidCap is a require.
Thanks, I should be able to get through this in the next 24-hrs.
In case it helps (I may persue this for MGA4 64-bit): $ urpmq --whatrequires libjbig1 cups-drivers-foo2kyo cups-drivers-foo2zjs cups-drivers-magicolor2430dl cups-drivers-magicolor2530dl cups-drivers-magicolor5430dl cups-drivers-magicolor5440dl ds9 graphicsmagick imagemagick imagemagick jbigkit libhylafax5 libjbig-devel libjbig1 libtiff5 netpbm pbmtozjs To create a JBIG image, xnconvert can *write* JBIG, but only read JBIG-2. Unable to find out for ImageMagick/convert, their site unavailable. Not sure about the relevance of video in this 2-colour scene.
CC: (none) => lewyssmith
I think this may be one of those do as best we can. Two people testing different ways is a good thing. I should be through all four of these by this time tomorrow California time. Thanks Lewis.
In VirtualBox, M3, KDE, 32-bit [root@localhost wilcal]# urpmq --whatrequires libjbig1 imagemagick [root@localhost wilcal]# urpmq --whatrequires imagemagick xvidcap Package(s) under test: jbigkit imagemagick xvidcap default install of jbigkit imagemagick xvidcap [root@localhost wilcal]# urpmi jbigkit Package jbigkit-2.0-6.mga3.i586 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.1.1-2.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi xvidcap Package xvidcap-1.1.7-5.mga3.i586 is already installed Xvidcap generates a succession of .xwd frame capture images from a YouTube video which can be edited in Gimp. install jbigkit from updates_testing [root@localhost wilcal]# urpmi jbigkit Package jbigkit-2.0-6.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.1.1-2.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi xvidcap Package xvidcap-1.1.7-5.mga3.i586 is already installed Xvidcap generates a succession of .xwd frame capture images from a YouTube video which can be edited in Gimp. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
In VirtualBox, M3, KDE, 64-bit [root@localhost wilcal]# urpmq --whatrequires libjbig1 imagemagick [root@localhost wilcal]# urpmq --whatrequires imagemagick xvidcap Package(s) under test: jbigkit imagemagick xvidcap default install of jbigkit imagemagick xvidcap [root@localhost wilcal]# urpmi jbigkit Package jbigkit-2.0-6.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.1.1-2.1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi xvidcap Package xvidcap-1.1.7-5.mga3.x86_64 is already installed Xvidcap generates a succession of .xwd frame capture images from a YouTube video which can be edited in Gimp. install jbigkit from updates_testing [root@localhost wilcal]# urpmi jbigkit Package jbigkit-2.0-6.1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.1.1-2.1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi xvidcap Package xvidcap-1.1.7-5.mga3.x86_64 is already installed Xvidcap generates a succession of .xwd frame capture images from a YouTube video which can be edited in Gimp. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Oden has updated to 2.1 in Cauldron. Oden, do you think we should update the update candidate to 2.1? It sounds like at least one of the other fixes in 2.1 is a security fix even though it doesn't have a CVE?
(In reply to David Walser from comment #9) > Oden has updated to 2.1 in Cauldron. Oden, do you think we should update > the update candidate to 2.1? It sounds like at least one of the other fixes > in 2.1 is a security fix even though it doesn't have a CVE? Yes, this is what I will do for mdv.
(In reply to Oden Eriksson from comment #10) > (In reply to David Walser from comment #9) > > Oden has updated to 2.1 in Cauldron. Oden, do you think we should update > > the update candidate to 2.1? It sounds like at least one of the other fixes > > in 2.1 is a security fix even though it doesn't have a CVE? > > Yes, this is what I will do for mdv. Thanks! I will do the same here. Sorry about any testing that's already taken place. I'll update this again later today.
Whiteboard: MGA3TOO => MGA3TOO feedback
Updated packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated jbigkit packages fix security vulnerability: Florian Weimer found a stack-based buffer overflow flaw in the libjbig library (part of jbigkit). A specially-crafted image file read by libjbig could be used to cause a program linked to libjbig to crash or, potentially, to execute arbitrary code (CVE-2013-6369). The jbigkit package has been updated to version 2.1, which fixes this issue, as well as a few other bugs, including the ability of corrupted input data to force the jbig85 decoder into an end-less loop. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6369 https://www.cl.cam.ac.uk/~mgk25/jbigkit/CHANGES https://bugzilla.redhat.com/show_bug.cgi?id=1032273 ======================== Updated packages in core/updates_testing: ======================== jbigkit-2.1-1.mga3 libjbig1-2.1-1.mga3 libjbig-devel-2.1-1.mga3 jbigkit-2.1-1.mga4 libjbig1-2.1-1.mga4 libjbig-devel-2.1-1.mga4 from SRPMS: jbigkit-2.1-1.mga3.src.rpm jbigkit-2.1-1.mga4.src.rpm
Whiteboard: MGA3TOO feedback => MGA3TOO
In VirtualBox, M4, KDE, 32-bit This testing was done after the big openssh update [root@localhost wilcal]# urpmq --whatrequires libjbig1 imagemagick [root@localhost wilcal]# urpmq --whatrequires imagemagick xvidcap Package(s) under test: jbigkit imagemagick xvidcap default install of jbigkit imagemagick xvidcap [root@localhost wilcal]# urpmi jbigkit Package jbigkit-2.0-7.mga4.i586 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.7.0-2.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi xvidcap Package xvidcap-1.1.7-6.mga4.i586 is already installed Xvidcap generates a succession of .xwd frame capture images from a YouTube video which can be edited in Gimp. install jbigkit from updates_testing [root@localhost wilcal]# urpmi jbigkit Package jbigkit-2.1-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.7.0-2.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi xvidcap Package xvidcap-1.1.7-6.mga4.i586 is already installed Xvidcap generates a succession of .xwd frame capture images from a YouTube video which can be edited in Gimp. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
In VirtualBox, M4, KDE, 64-bit This testing was done after the big openssh update [root@localhost wilcal]# urpmq --whatrequires libjbig1 imagemagick [root@localhost wilcal]# urpmq --whatrequires imagemagick xvidcap Package(s) under test: jbigkit imagemagick xvidcap default install of jbigkit imagemagick xvidcap [root@localhost wilcal]# urpmi jbigkit Package jbigkit-2.0-7.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.7.0-2.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi xvidcap Package xvidcap-1.1.7-6.mga4.x86_64 is already installed Xvidcap generates a succession of .xwd frame capture images from a YouTube video which can be edited in Gimp. install jbigkit from updates_testing [root@localhost wilcal]# urpmi jbigkit Package jbigkit-2.1-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.7.0-2.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi xvidcap Package xvidcap-1.1.7-6.mga4.x86_64 is already installed Xvidcap generates a succession of .xwd frame capture images from a YouTube video which can be edited in Gimp. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
In VirtualBox, M3, KDE, 32-bit [root@localhost wilcal]# urpmq --whatrequires libjbig1 imagemagick [root@localhost wilcal]# urpmq --whatrequires imagemagick xvidcap Package(s) under test: jbigkit imagemagick xvidcap default install of jbigkit imagemagick xvidcap [root@localhost wilcal]# urpmi jbigkit Package jbigkit-2.0-6.mga3.i586 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.1.1-2.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi xvidcap Package xvidcap-1.1.7-5.mga3.i586 is already installed Xvidcap generates a succession of .xwd frame capture images from a YouTube video which can be edited in Gimp. install jbigkit from updates_testing [root@localhost wilcal]# urpmi jbigkit Package jbigkit-2.1-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.1.1-2.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi xvidcap Package xvidcap-1.1.7-5.mga3.i586 is already installed Xvidcap generates a succession of .xwd frame capture images from a YouTube video which can be edited in Gimp. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
In VirtualBox, M3, KDE, 64-bit [root@localhost wilcal]# urpmq --whatrequires libjbig1 imagemagick [root@localhost wilcal]# urpmq --whatrequires imagemagick xvidcap Package(s) under test: jbigkit imagemagick xvidcap default install of jbigkit imagemagick xvidcap [root@localhost wilcal]# urpmi jbigkit Package jbigkit-2.0-6.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.1.1-2.1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi xvidcap Package xvidcap-1.1.7-5.mga3.x86_64 is already installed Xvidcap generates a succession of .xwd frame capture images from a YouTube video which can be edited in Gimp. install jbigkit from updates_testing [root@localhost wilcal]# urpmi jbigkit Package jbigkit-2.1-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.1.1-2.1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi xvidcap Package xvidcap-1.1.7-5.mga3.x86_64 is already installed Xvidcap generates a succession of .xwd frame capture images from a YouTube video which can be edited in Gimp. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
For me, using this test meathod, this update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit imagemagick displays the captured video stream in all cases. I think this can be tested lots of ways.
Debian has issued an advisory for this on April 10: https://www.debian.org/security/2014/dsa-2900
URL: (none) => http://lwn.net/Vulnerabilities/594454/
This thing's good to go.
Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
====================================================== Name: CVE-2013-6369 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6369 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131104 Category: Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1032273 Reference: CONFIRM:https://www.cl.cam.ac.uk/~mgk25/jbigkit/CHANGES Reference: SECUNIA:57731 Reference: URL:http://secunia.com/advisories/57731 Stack-based buffer overflow in the jbg_dec_in function in libjbig/jbig.c in JBIG-KIT before 2.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted image file.
Thanks Bill Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0174.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED