openSUSE has issued an advisory on October 28: https://lists.opensuse.org/opensuse-updates/2017-10/msg00115.html The SUSE bug has a link to the commit that fixed it: https://bugzilla.suse.com/show_bug.cgi?id=1062937 Mageia 5 is probably also affected. Note that Cauldron is also probably missing the patch to fix this.
Whiteboard: (none) => MGA5TOO
(In reply to David Walser from comment #0) > openSUSE has issued an advisory on October 28: > https://lists.opensuse.org/opensuse-updates/2017-10/msg00115.html > > The SUSE bug has a link to the commit that fixed it: > https://bugzilla.suse.com/show_bug.cgi?id=1062937 > > Mageia 5 is probably also affected. > > Note that Cauldron is also probably missing the patch to fix this. Changing version to Cauldron and adding MGA6TOO, to decrease the chance that cauldron will be forgotten. Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsWhiteboard: MGA5TOO => MGA5TOO, MGA6TOOVersion: 6 => CauldronCC: (none) => marja11
Suggested advisory: ======================== The updated packages fix a security vulnerability: libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file. (CVE-2017-15232) References: https://lists.opensuse.org/opensuse-updates/2017-10/msg00115.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15232 ======================== Updated packages in 5/core/updates_testing: ======================== lib(64)jpeg8-1.3.1-4.2.mga5 lib(64)jpeg62-1.3.1-4.2.mga5 lib(64)turbojpeg0-1.3.1-4.2.mga5 lib(64)jpeg-devel-1.3.1-4.2.mga5 lib(64)jpeg-static-devel-1.3.1-4.2.mga5 jpeg-progs-1.3.1-4.2.mga5 from SRPMS: libjpeg-1.3.1-4.2.mga5.src.rpm Updated packages in 6/core/updates_testing: ======================== lib(64)jpeg8-1.5.1-1.1.mga6 lib(64)jpeg62-1.5.1-1.1.mga6 lib(64)turbojpeg0-1.5.1-1.1.mga6 lib(64)jpeg-devel-1.5.1-1.1.mga6 lib(64)jpeg-static-devel-1.5.1-1.1.mga6 jpeg-progs-1.5.1-1.1.mga6 from SRPMS: libjpeg-1.5.1-1.1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 6Whiteboard: MGA5TOO, MGA6TOO => MGA5TOOStatus: NEW => ASSIGNEDCC: (none) => nicolas.salguero
Keywords: (none) => advisory
Testing on Mageia 6 on x86_64 Tried the POCs for CVE-2017-15232 as detailed at https://bugzilla.suse.com/show_bug.cgi?id=1062937#c4 $ djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o 002-mozjpeg-quantize_ord_dither-536.crash Segmentation fault (core dumped) $ djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o 001-mozjpeg-quantize_ord_dither-536.crash Corrupt JPEG data: 94 extraneous bytes before marker 0xdd Segmentation fault (core dumped) Ran the updates. - jpeg-progs-1.5.1-1.1.mga6.x86_64 - lib64jpeg-devel-1.5.1-1.1.mga6.x86_64 - lib64jpeg-static-devel-1.5.1-1.1.mga6.x86_64 - lib64jpeg62-1.5.1-1.1.mga6.x86_64 - lib64jpeg8-1.5.1-1.1.mga6.x86_64 - lib64turbojpeg0-1.5.1-1.1.mga6.x86_64 $ djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o 002-mozjpeg-quantize_ord_dither-536.crash No segfault. $ djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o 001-mozjpeg-quantize_ord_dither-536.crash Corrupt JPEG data: 94 extraneous bytes before marker 0xdd Segmentation fault (core dumped) No difference there, which agrees with the upstream test. There was some uncertainty about whether another CVE would need to be issued for the second case. For the time being we can say that one of the issues is fixed but there is some doubt about the other. Utility tests to follow.
CC: (none) => tarazed25
MGA5-32 on Asus A6000VM Xfce No installation issues When I try the POC as above I get: $ djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o 002-mozjpeg-quantize_ord_dither-536.crash usage: djpeg [switches] [inputfile] Switches (names may be abbreviated): -colors N Reduce image to no more than N colors -fast Fast, low-quality processing -grayscale Force grayscale output -rgb Force RGB output -scale M/N Scale output image by fraction M/N, eg, 1/8 -bmp Select BMP output format (Windows style) -gif Select GIF output format -os2 Select BMP output format (OS/2 style) -pnm Select PBMPLUS (PPM/PGM) output format (default) -targa Select Targa output format Switches for advanced users: and some more I see that the "-crop" switch is not listed $ djpeg -gif -outfile 1973.gif 1973.jpg produces a perfectly viewable gif file.
CC: (none) => herman.viaene
That is odd. Maybe the vulnerability does not affect the 32-bit versions or maybe it needs a different test. Not our problem I would say.
$ urpmq -i jpeg-progs shows that the package supplies: cjpeg - compress image file to jpeg djpeg - decompress jpeg to another format jpegtran - transformation options rdjpgcom - read texy comments from jpeg file wrjpgcom - write comments into a jpeg file --help switch provides comprehensive help information. Since output goes to STDOUT redirection is required to save an image, or else use -outfile switch. Source file formats need to be PPM, PGM, BMP, Targa or JPEG. $ cjpeg -quality 95 teapot.ppm > teapot.jpg or $ cjpeg -quality 60 -outfile piuva_2.jpg piuva.bmp $ cjpeg -greyscale teapot.ppm > greypot.jpg Perfect greyscale image. $ djpeg maggie.jpg > maggie.tga $ display maggie.tga That looks fine. $ cjpeg maggie.tga > maggie_2.jpg However: $ cjpeg -targa maggie.tga > maggie_2.jpg Invalid or unsupported Targa file but: $ cjpeg -targa maple.tga > test.jpg and $ cjpeg maple.tga > test.jpg Insert a comment: $ wrjpgcom -comment "This is a maple leaf" test.jpg > mapleleaf.jpg $ rdjpgcom mapleleaf.jpg This is a maple leaf Remove all comments: $ wrjpgcom -replace -comment "" mapleleaf.jpg > newleaf.jpg $ rdjpgcom newleaf.jpg $ file Sculptor_Galaxy.jpeg Sculptor_Galaxy.jpeg: JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 2800x2016, frames 3 $ jpegtran -progressive Sculptor_Galaxy.jpeg > galaxy.jpg $ file galaxy.jpg galaxy.jpg: JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, progressive, precision 8, 2800x2016, frames 3 It looks like the tools all work, so this gets a pass.
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Referring to comments 4 and 5: No, it is not odd. The -crop option is not available for the older version of djpeg, It is listed for jpegtran but I was ubable to get it to run. So the POCs cannot be tested in Mageia 5.
@Herman. Just go ahead with the 32-bit OK.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-32-OK
Installed the updates on Mageia 5 x86_64. Ran the same tests as in comment 6 on a range of files with no problems except one. There was one rejection: $ cjpeg -quality 100 Maggie.gif > Maggie_gif.jpg GIF input is unsupported for legal reasons. Sorry. This is probably referring to the patent on LZW encoding (which used to be about bitstream run length encoding). The Unisys patent expired in 2003 and its European counterpart in 2004 so this is puzzling. As Herman demonstrated, going the other way does not present any difficulties. $ djpeg -gif -outfile greypot.gif greypot.jpg $ eom greypot.gif $ Good for 64 bits.
Installed and tested without issues. Tested using the following commands for a bunch of ppm and jpeg files, some quite large. $ cjpeg -outfile test.jpeg test.ppm $ djpeg -outfile test.ppm test.jpeg $ jpegtran -crop 1000x1000+0+0 -progressive -grayscale -outfile test2.jpeg test.jpeg $ wrjpgcom -comment "test 1 2 3" test.jpeg > test2.jpeg $ rdjpgcom test2.jpeg test 1 2 3 Checked generated images with gwenview. Tested the PoC and did not crash but the crop parameter is not available for this version, so I don't how valid the PoC tests are. $ uname -a Linux marte 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:14:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ djpeg -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o 002-mozjpeg-quantize_ord_dither-536.crash Premature end of JPEG file $ djpeg -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o 001-mozjpeg-quantize_ord_dither-536.crash Corrupt JPEG data: 94 extraneous bytes before marker 0xdd $ rpm -qa | egrep 'lib(64)?jpeg|jpeg-progs' | sort jpeg-progs-1.3.1-4.2.mga5 lib64jpeg8-1.3.1-4.2.mga5 lib64jpeg-devel-1.3.1-4.2.mga5 libjpeg62-1.3.1-4.2.mga5 libjpeg8-1.3.1-4.2.mga5
Whiteboard: MGA5TOO MGA6-64-OK MGA5-32-OK => MGA5TOO MGA6-64-OK MGA5-32-OK MGA5-64-OKCC: (none) => mageia
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
And thanks to Herman and PC LX for your tests.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0407.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED