Bug 18677 - libjpeg security issues fixed in 1.5.0 found by Mozilla
Summary: libjpeg security issues fixed in 1.5.0 found by Mozilla
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/691098/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-06-10 14:40 CEST by David Walser
Modified: 2016-06-13 21:57 CEST (History)
3 users (show)

See Also:
Source RPM: libjpeg-1.3.1-4.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-06-10 14:40:56 CEST
Mozilla has issued a report about security issues in libjpeg after a security audit:
https://wiki.mozilla.org/images/7/77/Libjpeg-turbo-report.pdf

Three of the issues have been fixed, according to this, with links to the fixes:
https://docs.google.com/document/d/1uxETuTL7_tVgE8EB49RhxxHuCyDIbcsS9fHNimBixm4/edit

A PoC fir LJT-01-005 is in the report (first link above).

The two "Low" issues appear to not be exploitable in the code's current form.

Patches packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated libjpeg packages fix security vulnerability:

Out-of-Bounds Read in libjpeg-turbo before 1.5.0 via unusually long Blocks in
MCU (LJT-01-005).

References:
https://wiki.mozilla.org/images/7/77/Libjpeg-turbo-report.pdf
https://docs.google.com/document/d/1uxETuTL7_tVgE8EB49RhxxHuCyDIbcsS9fHNimBixm4/edit
========================

Updated packages in core/updates_testing:
========================
libjpeg8-1.3.1-4.1.mga5
libjpeg62-1.3.1-4.1.mga5
libturbojpeg0-1.3.1-4.1.mga5
libjpeg-devel-1.3.1-4.1.mga5
libjpeg-static-devel-1.3.1-4.1.mga5
jpeg-progs-1.3.1-4.1.mga5

from libjpeg-1.3.1-4.1.mga5.src.rpm
Comment 1 David Walser 2016-06-10 14:41:24 CEST
Note the PoC mentioned in Comment 0.  We also have a general testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=6928#c6

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-06-12 01:26:53 CEST
After the update, djpeg and cjpeg on a normal JPEG file to convert to BMP and back, worked fine.

I didn't test through valgrind on the PoC, so it'd be nice if someone could.  Difference in the output in djpeg before and after on the PoC image are,

before:

Corrupt JPEG data: 5640 extraneous bytes before marker 0x7f
Unsupported marker type 0x7f

after:

Premature end of JPEG file

Tested on Mageia 5 i586.
Comment 3 William Kenney 2016-06-12 19:57:09 CEST
In VirtualBox, M5, KDE, 32-bit

starting with pic1.ppm ( 640x504, 945.1 KiB )

Package(s) under test:
libjpeg8 libjpeg62 libturbojpeg0 jpeg-progs graphicsmagick strace

default install of libjpeg8 libjpeg62 libturbojpeg0 jpeg-progs
graphicsmagick strace

[root@localhost wilcal]# urpmi libjpeg8
Package libjpeg8-1.3.1-4.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libjpeg62
Package libjpeg62-1.3.1-4.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libturbojpeg0
Package libturbojpeg0-1.3.1-4.mga5.i586 is already installed
[root@localhost wilcal]# urpmi jpeg-progs
Package jpeg-progs-1.3.1-4.mga5.i586 is already installed
[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.20-4.mga5.i586 is already installed
[root@localhost images_test]# urpmi strace
Package strace-4.9-4.mga5.i586 is already installed

cjpeg pic1.ppm > pic1.jpg
cjpeg -quality 30 pic1.ppm > pic1_30.jpg
djpeg -scale 1/8 -pnm -outfile pic1_18.ppm pic1.jpg
djpeg -scale 1/8 -outfile pic1_18x.ppm pic1.jpg
jpegtran -rotate 90 pic1.jpg > pic1_rotated.jpg
gm display pic1.ppm
gm display pic1_18.ppm
strace -o strace1.txt gm display pic1.jpg    "jpeg"
 access("/usr/lib/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", R_OK) = 0
 open("/usr/lib/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", O_RDONLY|O_CLOEXEC) = 4
 open("/lib/libjpeg.so.8", O_RDONLY|O_CLOEXEC) = 4
djpeg -verbose pic1.jpg > pic1.bmp
cjpeg -grayscale -verbose pic1.bmp > pic1_grey.jpg
all work ok

starting with pic2.ppm ( 640x1067, 2.0 MiB )

install libjpeg8 libjpeg62 libturbojpeg0 jpeg-progs from updates_testing

[root@localhost wilcal]# urpmi libjpeg8
Package libjpeg8-1.3.1-4.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libjpeg62
Package libjpeg62-1.3.1-4.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libturbojpeg0
Package libturbojpeg0-1.3.1-4.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi jpeg-progs
Package jpeg-progs-1.3.1-4.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.20-4.mga5.i586 is already installed
[root@localhost wilcal]# urpmi strace
Package strace-4.9-4.mga5.i586 is already installed

cjpeg pic2.ppm > pic2.jpg
cjpeg -quality 30 pic2.ppm > pic2_30.jpg
djpeg -scale 1/8 -pnm -outfile pic2_18.ppm pic2.jpg
djpeg -scale 1/8 -outfile pic2_18x.ppm pic2.jpg
jpegtran -rotate 90 pic2.jpg > pic2_rotated.jpg
gm display pic2.ppm
gm display pic2_18.ppm
strace -o strace2.txt gm display pic2.jpg    "jpeg"
 access("/usr/lib/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", R_OK) = 0
 open("/usr/lib/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", O_RDONLY|O_CLOEXEC) = 4
 open("/lib/libjpeg.so.8", O_RDONLY|O_CLOEXEC) = 4
djpeg -verbose pic2.jpg > pic2.bmp
cjpeg -grayscale -verbose pic2.bmp > pic2_grey.jpg
all work ok

CC: (none) => wilcal.int

Comment 4 William Kenney 2016-06-12 20:29:06 CEST
In VirtualBox, M5, KDE, 64-bit

starting with pic1.ppm ( 640x504, 945.1 KiB )

Package(s) under test:
lib64jpeg8 lib64jpeg62 lib64turbojpeg0 jpeg-progs graphicsmagick strace

default install of lib64jpeg8 lib64jpeg62 lib64turbojpeg0 jpeg-progs
graphicsmagick strace

[root@localhost images_test]# urpmi lib64jpeg8
Package lib64jpeg8-1.3.1-4.mga5.x86_64 is already installed
[root@localhost images_test]# urpmi lib64jpeg62
Package lib64jpeg62-1.3.1-4.mga5.x86_64 is already installed
[root@localhost images_test]# urpmi lib64turbojpeg0
Package lib64turbojpeg0-1.3.1-4.mga5.x86_64 is already installed
[root@localhost images_test]# urpmi jpeg-progs
Package jpeg-progs-1.3.1-4.mga5.x86_64 is already installed
[root@localhost images_test]# urpmi graphicsmagick
Package graphicsmagick-1.3.20-4.mga5.x86_64 is already installed
[root@localhost images_test]# urpmi strace
Package strace-4.9-4.mga5.x86_64 is already installed

cjpeg pic1.ppm > pic1.jpg
cjpeg -quality 30 pic1.ppm > pic1_30.jpg
djpeg -scale 1/8 -pnm -outfile pic1_18.ppm pic1.jpg
djpeg -scale 1/8 -outfile pic1_18x.ppm pic1.jpg
jpegtran -rotate 90 pic1.jpg > pic1_rotated.jpg
gm display pic1.ppm
gm display pic1_18.ppm
strace -o strace1.txt gm display pic1.jpg    "jpeg"
 access("/usr/lib64/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", R_OK) = 0
 open("/usr/lib64/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", O_RDONLY|O_CLOEXEC) = 4
 open("/lib64/libjpeg.so.8", O_RDONLY|O_CLOEXEC) = 4
djpeg -verbose pic1.jpg > pic1.bmp
cjpeg -grayscale -verbose pic1.bmp > pic1_grey.jpg
all work ok

starting with pic2.ppm ( 640x1067, 2.0 MiB )

install lib64jpeg8 lib64jpeg62 lib64turbojpeg0 jpeg-progs from updates_testing

[root@localhost wilcal]# urpmi lib64jpeg8
Package libjpeg8-1.3.1-4.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi lib64jpeg62
Package libjpeg62-1.3.1-4.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi lib64turbojpeg0
Package libturbojpeg0-1.3.1-4.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi jpeg-progs
Package jpeg-progs-1.3.1-4.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.20-4.mga5.i586 is already installed
[root@localhost wilcal]# urpmi strace
Package strace-4.9-4.mga5.i586 is already installed

cjpeg pic2.ppm > pic2.jpg
cjpeg -quality 30 pic2.ppm > pic2_30.jpg
djpeg -scale 1/8 -pnm -outfile pic2_18.ppm pic2.jpg
djpeg -scale 1/8 -outfile pic2_18x.ppm pic2.jpg
jpegtran -rotate 90 pic2.jpg > pic2_rotated.jpg
gm display pic2.ppm
gm display pic2_18.ppm
strace -o strace2.txt gm display pic2.jpg    "jpeg"
access("/usr/lib64/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", R_OK) = 0
open("/usr/lib64/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/libjpeg.so.8", O_RDONLY|O_CLOEXEC) = 4
djpeg -verbose pic2.jpg > pic2.bmp
cjpeg -grayscale -verbose pic2.bmp > pic2_grey.jpg
all work ok
William Kenney 2016-06-12 20:29:38 CEST

URL: (none) => MGA5-32-OK MGA5-64-OK

Comment 5 William Kenney 2016-06-12 20:35:01 CEST
Before I validate this note that there is in updates_testing:

graphicsmagick-1.3.24-1.mga5.i586.rpm
graphicsmagick-1.3.24-1.mga5.x86_64.rpm

I tried to run this test using these packages and graphicsmagick
failed to run properly. I ask David if this is relevant to this test?
Comment 6 David Walser 2016-06-12 20:37:48 CEST
(In reply to William Kenney from comment #5)
> I tried to run this test using these packages and graphicsmagick
> failed to run properly. I ask David if this is relevant to this test?

Could you be more specific?
Comment 7 William Kenney 2016-06-12 20:54:27 CEST
After updates:

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.20-4.mga5.i586 is already installed

[wilcal@localhost images_test]$ gm display pic1.ppm
[wilcal@localhost images_test]$ gm display pic1_18.ppm
Displays just fine

install graphicsmagick from updates_testing

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.24-1.mga5.i586 is already installed

[wilcal@localhost images_test]$ gm display pic1.ppm
gm display: Unable to access configuration file (delegates.mgk) [No such file or directory].
gm display: Unable to open file (Untitled) [No such file or directory].
[wilcal@localhost images_test]$ gm display pic1_18.ppm
gm display: Unable to access configuration file (delegates.mgk) [No such file or directory].
gm display: Unable to open file (Untitled) [No such file or directory].
Comment 8 David Walser 2016-06-12 21:04:57 CEST
Thanks.  Could you please report that on Bug 17714?
Comment 9 William Kenney 2016-06-12 21:20:18 CEST
Will do. Can we turn this one loose?
Comment 10 William Kenney 2016-06-13 01:09:19 CEST
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 11 Thomas Backlund 2016-06-13 17:36:01 CEST
advisory added

URL: MGA5-32-OK MGA5-64-OK => (none)
CC: (none) => tmb
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 12 Mageia Robot 2016-06-13 17:56:18 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0224.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-06-13 21:57:18 CEST

URL: (none) => http://lwn.net/Vulnerabilities/691098/


Note You need to log in before you can comment on or make changes to this bug.