RedHat has issued an advisory on August 6: https://access.redhat.com/errata/RHSA-2019:2052 The RedHat bugs have links to upstream fixes. Most likely, the Mageia 7 version already has these fixes, but it needs to be double-checked. Mageia 6 would certainly be affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
Assigning globally as no specific maintainer.
Assignee: bugsquad => pkg-bugs
At the very least, we need to update to 2.0.3, which fixes CVE-2019-2201: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361 https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2a9e3bd7430cfda1bc812d139e0609c6aca0b884 https://source.android.com/security/bulletin/2019-11-01 https://android.googlesource.com/platform/external/libjpeg-turbo/+/d3db2a2634c422286f75c4b38af98837f3d2f0ff
Summary: libjpeg new security issues CVE-2016-3616 and CVE-2018-1121[2-4] => libjpeg new security issues CVE-2016-3616, CVE-2018-1121[2-4], and CVE-2019-2201
See this thread: https://www.openwall.com/lists/oss-security/2019/11/11/1
Component: RPM Packages => SecurityQA Contact: (none) => security
Mageia 7 already has fix for CVE-2016-3616, CVE-2018-1121[2-4].
CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerability: Several integer overflow issues and subsequent segfaults occur in libjpeg-turbo when attempting to compress or decompress gigapixel images. (CVE-2019-2201) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2201 https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361 https://source.android.com/security/bulletin/2019-11-01 https://www.openwall.com/lists/oss-security/2019/11/11/1 ======================== Updated packages in core/updates_testing: ======================== lib(64)jpeg8-2.0.3-1.mga7 lib(64)jpeg62-2.0.3-1.mga7 lib(64)turbojpeg0-2.0.3-1.mga7 lib(64)jpeg-devel-2.0.3-1.mga7 lib(64)jpeg-static-devel-2.0.3-1.mga7 jpeg-progs-2.0.3-1.mga7 from SRPMS: libjpeg-2.0.3-1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2019-2201Status: NEW => ASSIGNEDWhiteboard: MGA7TOO, MGA6TOO => (none)Version: Cauldron => 7
Mageia7, x86_64 CVE-2019-2201 https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388 The suggested utility to run with this file is part of a testing facilty which does not exist here. Tried simply displaying it. gqview shows a blank panel and display tries to create an image at full resolution but takes forever (had to kill it). eom segfaults after three seconds. Running that under strace shows that libjpeg is opened. Tried decompressing the reproducer file using djpeg and succeeded in producing a ppm file after a few minutes. Compressing that into a new jpeg file worked also. These tests before updating would indicate that the integer overflow issues had already been fixed in Mageia7. Installed all the packages listed. eom still segfaults on the large image. The trace does not show any calls to libturbojpeg so this may not be a legitimate test. However: $ djpeg -pnm CVE-2019-2201-reproducer-SEGFAULT-26755x26755.jpg > test.ppm $ ll -rw-rw-r-- 1 lcl lcl 4199035 Nov 15 10:30 CVE-2019-2201-reproducer-SEGFAULT-26755x26755.jpg -rw-r--r-- 1 lcl lcl 2725 Jul 28 2018 report.23238 -rw-r--r-- 1 lcl lcl 596 Nov 15 11:13 '#report.25296#' -rw-r--r-- 1 lcl lcl 2147490094 Nov 15 11:17 test.ppm -rw-r--r-- 1 lcl lcl 763047 Nov 15 11:08 trace $ cjpeg -outfile newfile.jpg test.ppm $ ll newfile.jpg -rw-r--r-- 1 lcl lcl 11196343 Nov 15 11:23 newfile.jpg $ file *.jpg CVE-2019-2201-reproducer-SEGFAULT-26755x26755.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, Exif Standard: [TIFF image data, little-endian, direntries=7, description=QA reproducer for CVE-2019-2201, xresolution=156, yresolution=164, resolutionunit=2, software=GIMP 2.10.12, datetime=2019:11:11 13:51:21], comment: "QA reproducer for CVE-2019-2201", baseline, precision 8, 26755x26755, components 3 newfile.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 26755x26755, components 3 $ rdjpgcom CVE-2019-2201-reproducer-SEGFAULT-26755x26755.jpg QA reproducer for CVE-2019-2201 wolfgang.frisch@suse.com\000 Using strace during compression does not reveal any use of libjpeg-turbo but it is needed by the utilities package. $ urpmq --whatrequires-recursive lib64turbojpeg0 | grep jpeg-progs jpeg-progs Wrote comment into a JPEG file. $ wrjpgcom -comment "Experimental comment for QA" newfile.jpg > withcomment.jpg Extract from ls: -rw-r--r-- 1 lcl lcl 11196343 Nov 15 12:27 newfile.jpg -rw-r--r-- 1 lcl lcl 11196374 Nov 15 12:55 withcomment.jpg The size differs in accordance with the length of the string, plus delimiters. $ rdjpgcom withcomment.jpg Experimental comment for QA $ jpegtran -flip horizontal JessicaAlba.jpg > flipped.jpg $ jpegtran -flip vertical LochLubnaig_4.jpg > upsidedown.jpg $ jpegtran -transpose workspace.jpg > work1.jpg $ jpegtran -transverse workspace.jpg > work2.jpg $ jpegtran -grayscale JessicaAlba.jpg > greyscale.jpg $ jpegtran -perfect -rotate 90 work1.jpg > work3.jpg $ jpegtran -crop 800x640+300+200 workspace.jpg > work4.jpg All these transformations worked, although the dimensions were not exact for work4.jpg; probably something to do with sampling intervals. This all looks good.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 5.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Hi Nicholas, Do we also already have fixes for CVE-2018-19664 and CVE-2018-20330? https://usn.ubuntu.com/4190-1/ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19664.html https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20330.html
(In reply to David Walser from comment #8) > Hi Nicholas, Hi David, > Do we also already have fixes for CVE-2018-19664 and CVE-2018-20330? > https://usn.ubuntu.com/4190-1/ > https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19664.html > https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20330.html Yes, version 2.0.2 already has those fixes.
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0329.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED