Bug 25296 - libjpeg new security issues CVE-2016-3616, CVE-2018-1121[2-4], and CVE-2019-2201
Summary: libjpeg new security issues CVE-2016-3616, CVE-2018-1121[2-4], and CVE-2019-2201
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-12 20:51 CEST by David Walser
Modified: 2019-11-19 22:18 CET (History)
5 users (show)

See Also:
Source RPM: libjpeg-2.0.2-1.mga7.src.rpm
CVE: CVE-2019-2201
Status comment:


Attachments

Description David Walser 2019-08-12 20:51:34 CEST
RedHat has issued an advisory on August 6:
https://access.redhat.com/errata/RHSA-2019:2052

The RedHat bugs have links to upstream fixes.  Most likely, the Mageia 7 version already has these fixes, but it needs to be double-checked.  Mageia 6 would certainly be affected.
David Walser 2019-08-12 20:51:40 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Lewis Smith 2019-08-13 20:57:51 CEST
Assigning globally as no specific maintainer.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2019-11-11 17:32:20 CET
At the very least, we need to update to 2.0.3, which fixes CVE-2019-2201:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2a9e3bd7430cfda1bc812d139e0609c6aca0b884
https://source.android.com/security/bulletin/2019-11-01
https://android.googlesource.com/platform/external/libjpeg-turbo/+/d3db2a2634c422286f75c4b38af98837f3d2f0ff

Summary: libjpeg new security issues CVE-2016-3616 and CVE-2018-1121[2-4] => libjpeg new security issues CVE-2016-3616, CVE-2018-1121[2-4], and CVE-2019-2201

Comment 3 David Walser 2019-11-12 14:09:18 CET
See this thread:
https://www.openwall.com/lists/oss-security/2019/11/11/1
David Walser 2019-11-12 14:17:15 CET

Component: RPM Packages => Security
QA Contact: (none) => security

Comment 4 Nicolas Salguero 2019-11-13 10:24:57 CET
Mageia 7 already has fix for CVE-2016-3616, CVE-2018-1121[2-4].

CC: (none) => nicolas.salguero

Comment 5 Nicolas Salguero 2019-11-13 10:30:17 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Several integer overflow issues and subsequent segfaults occur in libjpeg-turbo when attempting to compress or decompress gigapixel images. (CVE-2019-2201)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2201
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361
https://source.android.com/security/bulletin/2019-11-01
https://www.openwall.com/lists/oss-security/2019/11/11/1
========================

Updated packages in core/updates_testing:
========================
lib(64)jpeg8-2.0.3-1.mga7
lib(64)jpeg62-2.0.3-1.mga7
lib(64)turbojpeg0-2.0.3-1.mga7
lib(64)jpeg-devel-2.0.3-1.mga7
lib(64)jpeg-static-devel-2.0.3-1.mga7
jpeg-progs-2.0.3-1.mga7

from SRPMS:
libjpeg-2.0.3-1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2019-2201
Status: NEW => ASSIGNED
Whiteboard: MGA7TOO, MGA6TOO => (none)
Version: Cauldron => 7

Comment 6 Len Lawrence 2019-11-15 14:37:28 CET
Mageia7, x86_64

CVE-2019-2201
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388
The suggested utility to run with this file is part of a testing facilty which  does not exist here.
Tried simply displaying it.
gqview shows a blank panel and display tries to create an image at full resolution but takes forever (had to kill it).  eom segfaults after three seconds.  Running that under strace shows that libjpeg is opened.
Tried decompressing the reproducer file using djpeg and succeeded in producing a ppm file after a few minutes.  Compressing that into a new jpeg file worked also.  These tests before updating would indicate that the integer overflow issues had already been fixed in Mageia7.

Installed all the packages listed.

eom still segfaults on the large image.  The trace does not show any calls to libturbojpeg so this may not be a legitimate test.
However:
$ djpeg -pnm CVE-2019-2201-reproducer-SEGFAULT-26755x26755.jpg > test.ppm
$ ll
-rw-rw-r-- 1 lcl lcl    4199035 Nov 15 10:30  CVE-2019-2201-reproducer-SEGFAULT-26755x26755.jpg
-rw-r--r-- 1 lcl lcl       2725 Jul 28  2018  report.23238
-rw-r--r-- 1 lcl lcl        596 Nov 15 11:13 '#report.25296#'
-rw-r--r-- 1 lcl lcl 2147490094 Nov 15 11:17  test.ppm
-rw-r--r-- 1 lcl lcl     763047 Nov 15 11:08  trace
$ cjpeg -outfile newfile.jpg test.ppm
$ ll newfile.jpg
-rw-r--r-- 1 lcl lcl 11196343 Nov 15 11:23 newfile.jpg
$ file *.jpg
CVE-2019-2201-reproducer-SEGFAULT-26755x26755.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, Exif Standard: [TIFF image data, little-endian, direntries=7, description=QA reproducer for CVE-2019-2201, xresolution=156, yresolution=164, resolutionunit=2, software=GIMP 2.10.12, datetime=2019:11:11 13:51:21], comment: "QA reproducer for CVE-2019-2201", baseline, precision 8, 26755x26755, components 3
newfile.jpg:                                       JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 26755x26755, components 3

$ rdjpgcom CVE-2019-2201-reproducer-SEGFAULT-26755x26755.jpg
QA reproducer for CVE-2019-2201
wolfgang.frisch@suse.com\000

Using strace during compression does not reveal any use of libjpeg-turbo but it is needed by the utilities package.
$ urpmq --whatrequires-recursive lib64turbojpeg0 | grep jpeg-progs
jpeg-progs

Wrote comment into a JPEG file.
$ wrjpgcom -comment "Experimental comment for QA" newfile.jpg > withcomment.jpg
Extract from ls:
-rw-r--r-- 1 lcl lcl   11196343 Nov 15 12:27  newfile.jpg
-rw-r--r-- 1 lcl lcl   11196374 Nov 15 12:55  withcomment.jpg
The size differs in accordance with the length of the string, plus delimiters.
$ rdjpgcom withcomment.jpg
Experimental comment for QA

$ jpegtran -flip horizontal JessicaAlba.jpg > flipped.jpg
$ jpegtran -flip vertical LochLubnaig_4.jpg > upsidedown.jpg
$ jpegtran -transpose workspace.jpg > work1.jpg
$ jpegtran -transverse workspace.jpg > work2.jpg
$ jpegtran -grayscale JessicaAlba.jpg > greyscale.jpg
$ jpegtran -perfect -rotate 90 work1.jpg > work3.jpg
$ jpegtran -crop 800x640+300+200 workspace.jpg > work4.jpg
All these transformations worked, although the dimensions were not exact for work4.jpg; probably something to do with sampling intervals.

This all looks good.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 7 Thomas Andrews 2019-11-17 02:19:03 CET
Validating. Advisory in Comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 9 Nicolas Salguero 2019-11-18 09:19:51 CET
(In reply to David Walser from comment #8)
> Hi Nicholas,

Hi David,

> Do we also already have fixes for CVE-2018-19664 and CVE-2018-20330?
> https://usn.ubuntu.com/4190-1/
> https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19664.html
> https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20330.html

Yes, version 2.0.2 already has those fixes.
Thomas Backlund 2019-11-19 18:07:43 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 10 Mageia Robot 2019-11-19 22:18:49 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0329.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.