Bug 21974 - libjpeg new security issue CVE-2017-15232
Summary: libjpeg new security issue CVE-2017-15232
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA6-64-OK MGA5-32-OK MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-11-03 17:09 CET by David Walser
Modified: 2017-11-10 20:33 CET (History)
6 users (show)

See Also:
Source RPM: libjpeg-1.5.1-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-11-03 17:09:37 CET
openSUSE has issued an advisory on October 28:
https://lists.opensuse.org/opensuse-updates/2017-10/msg00115.html

The SUSE bug has a link to the commit that fixed it:
https://bugzilla.suse.com/show_bug.cgi?id=1062937

Mageia 5 is probably also affected.

Note that Cauldron is also probably missing the patch to fix this.
David Walser 2017-11-03 17:09:54 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-11-03 22:15:53 CET
(In reply to David Walser from comment #0)
> openSUSE has issued an advisory on October 28:
> https://lists.opensuse.org/opensuse-updates/2017-10/msg00115.html
> 
> The SUSE bug has a link to the commit that fixed it:
> https://bugzilla.suse.com/show_bug.cgi?id=1062937
> 
> Mageia 5 is probably also affected.
> 
> Note that Cauldron is also probably missing the patch to fix this.

Changing version to Cauldron and adding MGA6TOO, to decrease the chance that cauldron will be forgotten.

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
Whiteboard: MGA5TOO => MGA5TOO, MGA6TOO
Version: 6 => Cauldron
CC: (none) => marja11

Comment 2 Nicolas Salguero 2017-11-06 13:12:25 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file. (CVE-2017-15232)

References:
https://lists.opensuse.org/opensuse-updates/2017-10/msg00115.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15232
========================

Updated packages in 5/core/updates_testing:
========================
lib(64)jpeg8-1.3.1-4.2.mga5
lib(64)jpeg62-1.3.1-4.2.mga5
lib(64)turbojpeg0-1.3.1-4.2.mga5
lib(64)jpeg-devel-1.3.1-4.2.mga5
lib(64)jpeg-static-devel-1.3.1-4.2.mga5
jpeg-progs-1.3.1-4.2.mga5

from SRPMS:
libjpeg-1.3.1-4.2.mga5.src.rpm

Updated packages in 6/core/updates_testing:
========================
lib(64)jpeg8-1.5.1-1.1.mga6
lib(64)jpeg62-1.5.1-1.1.mga6
lib(64)turbojpeg0-1.5.1-1.1.mga6
lib(64)jpeg-devel-1.5.1-1.1.mga6
lib(64)jpeg-static-devel-1.5.1-1.1.mga6
jpeg-progs-1.5.1-1.1.mga6

from SRPMS:
libjpeg-1.5.1-1.1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
Whiteboard: MGA5TOO, MGA6TOO => MGA5TOO
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero

Lewis Smith 2017-11-06 21:50:58 CET

Keywords: (none) => advisory

Comment 3 Len Lawrence 2017-11-06 22:35:57 CET
Testing on Mageia 6 on x86_64

Tried the POCs for CVE-2017-15232 as detailed at https://bugzilla.suse.com/show_bug.cgi?id=1062937#c4
$ djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o 002-mozjpeg-quantize_ord_dither-536.crash
Segmentation fault (core dumped)
$ djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o 001-mozjpeg-quantize_ord_dither-536.crash
Corrupt JPEG data: 94 extraneous bytes before marker 0xdd
Segmentation fault (core dumped)

Ran the updates.
- jpeg-progs-1.5.1-1.1.mga6.x86_64
- lib64jpeg-devel-1.5.1-1.1.mga6.x86_64
- lib64jpeg-static-devel-1.5.1-1.1.mga6.x86_64
- lib64jpeg62-1.5.1-1.1.mga6.x86_64
- lib64jpeg8-1.5.1-1.1.mga6.x86_64
- lib64turbojpeg0-1.5.1-1.1.mga6.x86_64

$ djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o 002-mozjpeg-quantize_ord_dither-536.crash
No segfault.
$ djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o 001-mozjpeg-quantize_ord_dither-536.crash
Corrupt JPEG data: 94 extraneous bytes before marker 0xdd
Segmentation fault (core dumped)
No difference there, which agrees with the upstream test.  There was some uncertainty about whether another CVE would need to be issued for the second case.  For the time being we can say that one of the issues is fixed but there is some doubt about the other.

Utility tests to follow.

CC: (none) => tarazed25

Comment 4 Herman Viaene 2017-11-07 13:30:00 CET
MGA5-32 on Asus A6000VM Xfce
No installation issues
When I try the POC as above I get:
$ djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o 002-mozjpeg-quantize_ord_dither-536.crash
usage: djpeg [switches] [inputfile]
Switches (names may be abbreviated):
  -colors N      Reduce image to no more than N colors
  -fast          Fast, low-quality processing
  -grayscale     Force grayscale output
  -rgb           Force RGB output
  -scale M/N     Scale output image by fraction M/N, eg, 1/8
  -bmp           Select BMP output format (Windows style)
  -gif           Select GIF output format
  -os2           Select BMP output format (OS/2 style)
  -pnm           Select PBMPLUS (PPM/PGM) output format (default)
  -targa         Select Targa output format
Switches for advanced users:
and some more
I see that the "-crop" switch is not listed
$ djpeg -gif -outfile 1973.gif 1973.jpg
produces a perfectly viewable gif file.

CC: (none) => herman.viaene

Comment 5 Len Lawrence 2017-11-07 17:41:13 CET
That is odd.  Maybe the vulnerability does not affect the 32-bit versions or maybe it needs a different test.  Not our problem I would say.
Comment 6 Len Lawrence 2017-11-07 18:53:03 CET
$ urpmq -i jpeg-progs
shows that the package supplies:
cjpeg - compress image file to jpeg
djpeg - decompress jpeg to another format
jpegtran - transformation options
rdjpgcom - read texy comments from jpeg file
wrjpgcom - write comments into a jpeg file

--help switch provides comprehensive help information.

Since output goes to STDOUT redirection is required to save an image, or else use -outfile switch.  Source file formats need to be PPM, PGM, BMP, Targa or JPEG.
$ cjpeg -quality 95 teapot.ppm > teapot.jpg
or
$ cjpeg -quality 60 -outfile piuva_2.jpg piuva.bmp
$ cjpeg -greyscale teapot.ppm > greypot.jpg
Perfect greyscale image.
$ djpeg maggie.jpg > maggie.tga
$ display maggie.tga
That looks fine.
$ cjpeg maggie.tga > maggie_2.jpg
However:
$ cjpeg -targa maggie.tga > maggie_2.jpg
Invalid or unsupported Targa file
but:
$ cjpeg -targa maple.tga > test.jpg
and
$ cjpeg maple.tga > test.jpg

Insert a comment:
$ wrjpgcom -comment "This is a maple leaf" test.jpg > mapleleaf.jpg
$ rdjpgcom mapleleaf.jpg
This is a maple leaf

Remove all comments:
$ wrjpgcom -replace -comment "" mapleleaf.jpg > newleaf.jpg
$ rdjpgcom newleaf.jpg

$ file Sculptor_Galaxy.jpeg 
Sculptor_Galaxy.jpeg: JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 2800x2016, frames 3
$ jpegtran -progressive Sculptor_Galaxy.jpeg > galaxy.jpg
$ file galaxy.jpg
galaxy.jpg: JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, progressive, precision 8, 2800x2016, frames 3

It looks like the tools all work, so this gets a pass.
Len Lawrence 2017-11-07 18:53:44 CET

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 7 Len Lawrence 2017-11-08 13:02:24 CET
Referring to comments 4 and 5:
No, it is not odd.  The -crop option is not available for the older version of djpeg,  It is listed for jpegtran but I was ubable to get it to run.  So the POCs cannot be tested in Mageia 5.
Comment 8 Len Lawrence 2017-11-08 13:03:34 CET
@Herman.  Just go ahead with the 32-bit OK.
Herman Viaene 2017-11-08 13:45:18 CET

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-32-OK

Comment 9 Len Lawrence 2017-11-08 17:31:19 CET
Installed the updates on Mageia 5 x86_64.

Ran the same tests as in comment 6 on a range of files with no problems except one.
There was one rejection:
$ cjpeg -quality 100 Maggie.gif > Maggie_gif.jpg 
GIF input is unsupported for legal reasons.  Sorry.
This is probably referring to the patent on LZW encoding (which used to be about bitstream run length encoding).  The Unisys patent expired in 2003 and its European counterpart in 2004 so this is puzzling.
As Herman demonstrated, going the other way does not present any difficulties.
$ djpeg -gif -outfile greypot.gif greypot.jpg
$ eom greypot.gif
$

Good for 64 bits.
Comment 10 PC LX 2017-11-09 00:57:05 CET
Installed and tested without issues.

Tested using the following commands for a bunch of ppm and jpeg files, some quite large.
$ cjpeg -outfile test.jpeg test.ppm
$ djpeg -outfile test.ppm test.jpeg
$ jpegtran -crop 1000x1000+0+0 -progressive -grayscale -outfile test2.jpeg test.jpeg
$ wrjpgcom -comment "test 1 2 3" test.jpeg > test2.jpeg 
$ rdjpgcom test2.jpeg
test 1 2 3

Checked generated images with gwenview.

Tested the PoC and did not crash but the crop parameter is not available for this version, so I don't how valid the PoC tests are.

$ uname -a
Linux marte 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:14:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ djpeg -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o 002-mozjpeg-quantize_ord_dither-536.crash
Premature end of JPEG file
$ djpeg -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o 001-mozjpeg-quantize_ord_dither-536.crash
Corrupt JPEG data: 94 extraneous bytes before marker 0xdd
$ rpm -qa | egrep 'lib(64)?jpeg|jpeg-progs' | sort
jpeg-progs-1.3.1-4.2.mga5
lib64jpeg8-1.3.1-4.2.mga5
lib64jpeg-devel-1.3.1-4.2.mga5
libjpeg62-1.3.1-4.2.mga5
libjpeg8-1.3.1-4.2.mga5

Whiteboard: MGA5TOO MGA6-64-OK MGA5-32-OK => MGA5TOO MGA6-64-OK MGA5-32-OK MGA5-64-OK
CC: (none) => mageia

Len Lawrence 2017-11-09 08:02:48 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 Len Lawrence 2017-11-09 08:37:49 CET
And thanks to Herman and PC LX for your tests.
Comment 12 Mageia Robot 2017-11-10 20:33:51 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0407.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.