Mozilla has issued a report about security issues in libjpeg after a security audit: https://wiki.mozilla.org/images/7/77/Libjpeg-turbo-report.pdf Three of the issues have been fixed, according to this, with links to the fixes: https://docs.google.com/document/d/1uxETuTL7_tVgE8EB49RhxxHuCyDIbcsS9fHNimBixm4/edit A PoC fir LJT-01-005 is in the report (first link above). The two "Low" issues appear to not be exploitable in the code's current form. Patches packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated libjpeg packages fix security vulnerability: Out-of-Bounds Read in libjpeg-turbo before 1.5.0 via unusually long Blocks in MCU (LJT-01-005). References: https://wiki.mozilla.org/images/7/77/Libjpeg-turbo-report.pdf https://docs.google.com/document/d/1uxETuTL7_tVgE8EB49RhxxHuCyDIbcsS9fHNimBixm4/edit ======================== Updated packages in core/updates_testing: ======================== libjpeg8-1.3.1-4.1.mga5 libjpeg62-1.3.1-4.1.mga5 libturbojpeg0-1.3.1-4.1.mga5 libjpeg-devel-1.3.1-4.1.mga5 libjpeg-static-devel-1.3.1-4.1.mga5 jpeg-progs-1.3.1-4.1.mga5 from libjpeg-1.3.1-4.1.mga5.src.rpm
Note the PoC mentioned in Comment 0. We also have a general testing procedure: https://bugs.mageia.org/show_bug.cgi?id=6928#c6
Whiteboard: (none) => has_procedure
After the update, djpeg and cjpeg on a normal JPEG file to convert to BMP and back, worked fine. I didn't test through valgrind on the PoC, so it'd be nice if someone could. Difference in the output in djpeg before and after on the PoC image are, before: Corrupt JPEG data: 5640 extraneous bytes before marker 0x7f Unsupported marker type 0x7f after: Premature end of JPEG file Tested on Mageia 5 i586.
In VirtualBox, M5, KDE, 32-bit starting with pic1.ppm ( 640x504, 945.1 KiB ) Package(s) under test: libjpeg8 libjpeg62 libturbojpeg0 jpeg-progs graphicsmagick strace default install of libjpeg8 libjpeg62 libturbojpeg0 jpeg-progs graphicsmagick strace [root@localhost wilcal]# urpmi libjpeg8 Package libjpeg8-1.3.1-4.mga5.i586 is already installed [root@localhost wilcal]# urpmi libjpeg62 Package libjpeg62-1.3.1-4.mga5.i586 is already installed [root@localhost wilcal]# urpmi libturbojpeg0 Package libturbojpeg0-1.3.1-4.mga5.i586 is already installed [root@localhost wilcal]# urpmi jpeg-progs Package jpeg-progs-1.3.1-4.mga5.i586 is already installed [root@localhost wilcal]# urpmi graphicsmagick Package graphicsmagick-1.3.20-4.mga5.i586 is already installed [root@localhost images_test]# urpmi strace Package strace-4.9-4.mga5.i586 is already installed cjpeg pic1.ppm > pic1.jpg cjpeg -quality 30 pic1.ppm > pic1_30.jpg djpeg -scale 1/8 -pnm -outfile pic1_18.ppm pic1.jpg djpeg -scale 1/8 -outfile pic1_18x.ppm pic1.jpg jpegtran -rotate 90 pic1.jpg > pic1_rotated.jpg gm display pic1.ppm gm display pic1_18.ppm strace -o strace1.txt gm display pic1.jpg "jpeg" access("/usr/lib/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", R_OK) = 0 open("/usr/lib/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", O_RDONLY|O_CLOEXEC) = 4 open("/lib/libjpeg.so.8", O_RDONLY|O_CLOEXEC) = 4 djpeg -verbose pic1.jpg > pic1.bmp cjpeg -grayscale -verbose pic1.bmp > pic1_grey.jpg all work ok starting with pic2.ppm ( 640x1067, 2.0 MiB ) install libjpeg8 libjpeg62 libturbojpeg0 jpeg-progs from updates_testing [root@localhost wilcal]# urpmi libjpeg8 Package libjpeg8-1.3.1-4.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libjpeg62 Package libjpeg62-1.3.1-4.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libturbojpeg0 Package libturbojpeg0-1.3.1-4.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi jpeg-progs Package jpeg-progs-1.3.1-4.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi graphicsmagick Package graphicsmagick-1.3.20-4.mga5.i586 is already installed [root@localhost wilcal]# urpmi strace Package strace-4.9-4.mga5.i586 is already installed cjpeg pic2.ppm > pic2.jpg cjpeg -quality 30 pic2.ppm > pic2_30.jpg djpeg -scale 1/8 -pnm -outfile pic2_18.ppm pic2.jpg djpeg -scale 1/8 -outfile pic2_18x.ppm pic2.jpg jpegtran -rotate 90 pic2.jpg > pic2_rotated.jpg gm display pic2.ppm gm display pic2_18.ppm strace -o strace2.txt gm display pic2.jpg "jpeg" access("/usr/lib/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", R_OK) = 0 open("/usr/lib/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", O_RDONLY|O_CLOEXEC) = 4 open("/lib/libjpeg.so.8", O_RDONLY|O_CLOEXEC) = 4 djpeg -verbose pic2.jpg > pic2.bmp cjpeg -grayscale -verbose pic2.bmp > pic2_grey.jpg all work ok
CC: (none) => wilcal.int
In VirtualBox, M5, KDE, 64-bit starting with pic1.ppm ( 640x504, 945.1 KiB ) Package(s) under test: lib64jpeg8 lib64jpeg62 lib64turbojpeg0 jpeg-progs graphicsmagick strace default install of lib64jpeg8 lib64jpeg62 lib64turbojpeg0 jpeg-progs graphicsmagick strace [root@localhost images_test]# urpmi lib64jpeg8 Package lib64jpeg8-1.3.1-4.mga5.x86_64 is already installed [root@localhost images_test]# urpmi lib64jpeg62 Package lib64jpeg62-1.3.1-4.mga5.x86_64 is already installed [root@localhost images_test]# urpmi lib64turbojpeg0 Package lib64turbojpeg0-1.3.1-4.mga5.x86_64 is already installed [root@localhost images_test]# urpmi jpeg-progs Package jpeg-progs-1.3.1-4.mga5.x86_64 is already installed [root@localhost images_test]# urpmi graphicsmagick Package graphicsmagick-1.3.20-4.mga5.x86_64 is already installed [root@localhost images_test]# urpmi strace Package strace-4.9-4.mga5.x86_64 is already installed cjpeg pic1.ppm > pic1.jpg cjpeg -quality 30 pic1.ppm > pic1_30.jpg djpeg -scale 1/8 -pnm -outfile pic1_18.ppm pic1.jpg djpeg -scale 1/8 -outfile pic1_18x.ppm pic1.jpg jpegtran -rotate 90 pic1.jpg > pic1_rotated.jpg gm display pic1.ppm gm display pic1_18.ppm strace -o strace1.txt gm display pic1.jpg "jpeg" access("/usr/lib64/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", R_OK) = 0 open("/usr/lib64/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", O_RDONLY|O_CLOEXEC) = 4 open("/lib64/libjpeg.so.8", O_RDONLY|O_CLOEXEC) = 4 djpeg -verbose pic1.jpg > pic1.bmp cjpeg -grayscale -verbose pic1.bmp > pic1_grey.jpg all work ok starting with pic2.ppm ( 640x1067, 2.0 MiB ) install lib64jpeg8 lib64jpeg62 lib64turbojpeg0 jpeg-progs from updates_testing [root@localhost wilcal]# urpmi lib64jpeg8 Package libjpeg8-1.3.1-4.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi lib64jpeg62 Package libjpeg62-1.3.1-4.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi lib64turbojpeg0 Package libturbojpeg0-1.3.1-4.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi jpeg-progs Package jpeg-progs-1.3.1-4.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi graphicsmagick Package graphicsmagick-1.3.20-4.mga5.i586 is already installed [root@localhost wilcal]# urpmi strace Package strace-4.9-4.mga5.i586 is already installed cjpeg pic2.ppm > pic2.jpg cjpeg -quality 30 pic2.ppm > pic2_30.jpg djpeg -scale 1/8 -pnm -outfile pic2_18.ppm pic2.jpg djpeg -scale 1/8 -outfile pic2_18x.ppm pic2.jpg jpegtran -rotate 90 pic2.jpg > pic2_rotated.jpg gm display pic2.ppm gm display pic2_18.ppm strace -o strace2.txt gm display pic2.jpg "jpeg" access("/usr/lib64/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", R_OK) = 0 open("/usr/lib64/GraphicsMagick-1.3.20/modules-Q8/coders/jpeg.so", O_RDONLY|O_CLOEXEC) = 4 open("/lib64/libjpeg.so.8", O_RDONLY|O_CLOEXEC) = 4 djpeg -verbose pic2.jpg > pic2.bmp cjpeg -grayscale -verbose pic2.bmp > pic2_grey.jpg all work ok
URL: (none) => MGA5-32-OK MGA5-64-OK
Before I validate this note that there is in updates_testing: graphicsmagick-1.3.24-1.mga5.i586.rpm graphicsmagick-1.3.24-1.mga5.x86_64.rpm I tried to run this test using these packages and graphicsmagick failed to run properly. I ask David if this is relevant to this test?
(In reply to William Kenney from comment #5) > I tried to run this test using these packages and graphicsmagick > failed to run properly. I ask David if this is relevant to this test? Could you be more specific?
After updates: [root@localhost wilcal]# urpmi graphicsmagick Package graphicsmagick-1.3.20-4.mga5.i586 is already installed [wilcal@localhost images_test]$ gm display pic1.ppm [wilcal@localhost images_test]$ gm display pic1_18.ppm Displays just fine install graphicsmagick from updates_testing [root@localhost wilcal]# urpmi graphicsmagick Package graphicsmagick-1.3.24-1.mga5.i586 is already installed [wilcal@localhost images_test]$ gm display pic1.ppm gm display: Unable to access configuration file (delegates.mgk) [No such file or directory]. gm display: Unable to open file (Untitled) [No such file or directory]. [wilcal@localhost images_test]$ gm display pic1_18.ppm gm display: Unable to access configuration file (delegates.mgk) [No such file or directory]. gm display: Unable to open file (Untitled) [No such file or directory].
Thanks. Could you please report that on Bug 17714?
Will do. Can we turn this one loose?
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
advisory added
URL: MGA5-32-OK MGA5-64-OK => (none)CC: (none) => tmbWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0224.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/691098/