Fedora has issued an advisory today (June 26): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3CDV3ULRXQEMV7OHCB5MSITEIVOI5EPN/ The issue only affects the cjpeg utility and not the library itself. Mageia 5 and Mageia 6 are also affected. It would be OK to just check a patch into SVN for this for now.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package, CC'ing two committers.
CC: (none) => joequant, marja11, nicolas.salgueroAssignee: bugsquad => pkg-bugs
SUSE has issued an advisory on June 27: http://lists.suse.com/pipermail/sle-security-updates/2018-June/004223.html The SUSE bug for CVE-2018-1152 has a link to the upstream commit that fixed it: https://bugzilla.suse.com/show_bug.cgi?id=1098155
Summary: libjpeg new security issue CVE-2018-11813 => libjpeg new security issues CVE-2018-1152 and CVE-2018-11813
Fedora has issued an advisory for this on July 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHRJSPZHPTSJWFXG5YW7OD4MM4WAPXFF/
Patched package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated libjpeg package fixes security vulnerabilities: It was found that libjpeg is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image (CVE-2018-1152). It was found that libjpeg had a defect where, due to a mishandled EOF, a specially crafted malformed input file (specifically a file with a valid Targa header but incomplete pixel data) would cause cjpeg to generate a file that was potentially thousands of times larger than the input file (CVE-2018-11813). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11813 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1152 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3CDV3ULRXQEMV7OHCB5MSITEIVOI5EPN/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHRJSPZHPTSJWFXG5YW7OD4MM4WAPXFF/ ======================== Updated packages in core/updates_testing: ======================== jpeg-progs-1.5.1-1.2.mga6 lib64jpeg62-1.5.1-1.2.mga6 lib64jpeg8-1.5.1-1.2.mga6 lib64jpeg-devel-1.5.1-1.2.mga6 lib64jpeg-static-devel-1.5.1-1.2.mga6 lib64turbojpeg0-1.5.1-1.2.mga6 from libjpeg-1.5.1-1.2.mga6.src.rpm Testing procedures. https://bugs.mageia.org/show_bug.cgi?id=6928#c6 https://bugs.mageia.org/show_bug.cgi?id=21974#c6
Whiteboard: MGA6TOO => (none)Keywords: (none) => has_procedureCC: (none) => mramboAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 6
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. At CLI: $ djpeg -verbose -bmp 34815267.jpg > 34815267.bmp libjpeg-turbo version 1.5.1 (build 20180725) Copyright (C) 2009-2016 D. R. Commander Copyright (C) 2011-2016 Siarhei Siamashka Copyright (C) 2015-2016 Matthieu Darbois Copyright (C) 2015 Google, Inc. Copyright (C) 2013-2014 MIPS Technologies, Inc. Copyright (C) 2013 Linaro Limited Copyright (C) 2009-2011 Nokia Corporation and/or its subsidiary(-ies) Copyright (C) 2009 Pierre Ossman for Cendio AB Copyright (C) 1999-2006 MIYASAKA Masaru Copyright (C) 1991-2016 Thomas G. Lane, Guido Vollbeding Emulating The Independent JPEG Group's software, version 8d 15-Jan-2012 Start of Image JFIF APP0 marker: version 1.01, density 72x72 1 Miscellaneous marker 0xe2, length 1318 Define Quantization Table 0 precision 0 Define Quantization Table 1 precision 0 Start Of Frame 0xc0: width=500, height=375, components=3 Component 1: 1hx1v q=0 Component 2: 1hx1v q=1 Component 3: 1hx1v q=1 Define Huffman Table 0x00 Define Huffman Table 0x10 Define Huffman Table 0x01 Define Huffman Table 0x11 Start Of Scan: 3 components Component 1: dc=0 ac=0 Component 2: dc=1 ac=1 Component 3: dc=1 ac=1 Ss=0, Se=63, Ah=0, Al=0 End Of Image $ display 34815267.bmp display is OK $ cjpeg -grayscale -verbose 34815267.bmp > gray1.jpg libjpeg-turbo version 1.5.1 (build 20180725) Copyright (C) 2009-2016 D. R. Commander Copyright (C) 2011-2016 Siarhei Siamashka Copyright (C) 2015-2016 Matthieu Darbois Copyright (C) 2015 Google, Inc. Copyright (C) 2013-2014 MIPS Technologies, Inc. Copyright (C) 2013 Linaro Limited Copyright (C) 2009-2011 Nokia Corporation and/or its subsidiary(-ies) Copyright (C) 2009 Pierre Ossman for Cendio AB Copyright (C) 1999-2006 MIYASAKA Masaru Copyright (C) 1991-2016 Thomas G. Lane, Guido Vollbeding Emulating The Independent JPEG Group's software, version 8d 15-Jan-2012 500x375 24-bit BMP image $ display gray1.jpg display is OK $ jpegtran -rotate 90 gray1.jpg > gray2.jpg $ display gray2.jpg display is OK files look OK in preview in caja as well OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Mageia 6, x86_64 Checked the CVEs before updating. CVE-2018-11813 Report @ https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9c PoC file from this link - click on it then download the file: https://github.com/ChijinZ/security_advisories/blob/master/libjpeg-v9c/large_loop $ perf record cjpeg large_loop > out [ perf record: Woken up 384 times to write data ] [ perf record: Captured and wrote 96.730 MB perf.data (2535050 samples) ] This goes into a spin, 100% on one core, for a very long time, creating a 21MB file from a 6KB input. The perf.data file is even larger, 101MB. CVE-2018-1152 Denial of Service in libturbojpeg. No test found. Updated from testing; ran the available PoC. $ perf record cjpeg large_loop > out Premature end of input file [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.023 MB perf.data (7 samples) ] This returned immediately with an empty out file. strace showed that GraphicsMagick employs lib64jpeg at some stage in JPEG conversions. Ran similar tests to those already reported by other users. $ djpeg -verbose sunset.jpg > sunset.bmp libjpeg-turbo version 1.5.1 (build 20180725) Copyright (C) 2009-2016 D. R. Commander [...] Emulating The Independent JPEG Group's software, version 8d 15-Jan-2012 Start of Image JFIF APP0 marker: version 1.01, density 72x72 1 Comment, length 16: Adobe ImageReady Define Quantization Table 0 precision 0 Define Quantization Table 1 precision 0 Start Of Frame 0xc2: width=1600, height=1066, components=3 Component 1: 1hx1v q=0 Component 2: 1hx1v q=1 Component 3: 1hx1v q=1 Define Huffman Table 0x00 [...] $ gm display sunset.bmp $ gwenview sunset.bmp QImageReader::read() using format hint "bmp" failed: "Unknown error" A bad Qt image decoder moved the buffer to 14 in a call to canRead()! Rewinding. Image format is actually "ppm" not "bmp" <gwenview did display the image> Taking note of herman's modification: $ djpeg -verbose -bmp sunset.jpg > sunset_1.bmp gwenview can now display the image without quibbling. This also works: $ djpeg sunset.jpg > sunset.pgm $ ll sunset* -rw-r--r-- 1 lcl lcl 5116854 Jul 28 19:15 sunset_1.bmp -rw-r--r-- 1 lcl lcl 5116817 Jul 28 19:10 sunset.bmp -rw-r--r-- 1 lcl lcl 1287911 Mar 14 22:01 sunset.jpg -rw-r--r-- 1 lcl lcl 5116817 Jul 28 19:19 sunset.pgm $ cjpeg -grayscale -verbose sunset.bmp > sunset_grey.jpg libjpeg-turbo version 1.5.1 (build 20180725) Copyright (C) 2009-2016 D. R. Commander [...] Emulating The Independent JPEG Group's software, version 8d 15-Jan-2012 1600x1066 PPM image Greyscale image as expected. $ jpegtran -rotate 180 sunset_1.jpg > sunset_flip.jpg $ gm display sunset_flip.jpg Upside down, as required. OK for 64-bits as well.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKCC: (none) => tarazed25
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0327.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED