Bug 30886 - libjpeg new security issue CVE-2021-46822
Summary: libjpeg new security issue CVE-2021-46822
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-09-23 18:23 CEST by David Walser
Modified: 2022-10-01 19:50 CEST (History)
5 users (show)

See Also:
Source RPM: libjpeg-2.0.7-1.mga8.src.rpm
CVE: CVE-2021-46822
Status comment:


Attachments

Description David Walser 2022-09-23 18:23:30 CEST
Ubuntu has issued an advisory on September 22:
https://ubuntu.com/security/notices/USN-5631-1

The issue is fixed upstream in 2.1.0.

The fix isn't included in 2.0.8, but we should also update it to that:
https://github.com/libjpeg-turbo/libjpeg-turbo/releases/tag/2.0.8-esr
https://github.com/libjpeg-turbo/libjpeg-turbo/blob/2.0.8-esr/ChangeLog.md
David Walser 2022-09-23 18:23:43 CEST

Status comment: (none) => Patches available from upstream and Ubuntu

Comment 1 Lewis Smith 2022-09-23 20:39:16 CEST
Once again assigning this to NicolasS who did the last CVE update on this pkg. No other individual packager 'visible'.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2022-09-26 13:33:29 CEST
(In reply to David Walser from comment #0)
> The fix isn't included in 2.0.8, but we should also update it to that:

In fact, after comparing the patch and the code in version 2.0.8, I can say that the patch is included.

CC: (none) => nicolas.salguero

Comment 3 Nicolas Salguero 2022-09-26 13:38:41 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c. (CVE-2021-46822)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46822
https://ubuntu.com/security/notices/USN-5631-1
https://github.com/libjpeg-turbo/libjpeg-turbo/blob/2.0.8-esr/ChangeLog.md
========================

Updated packages in core/updates_testing:
========================
jpeg-progs-2.0.8-1.mga8
lib(64)jpeg62-2.0.8-1.mga8
lib(64)jpeg8-2.0.8-1.mga8
lib(64)jpeg-devel-2.0.8-1.mga8
lib(64)jpeg-static-devel-2.0.8-1.mga8
lib(64)turbojpeg0-2.0.8-1.mga8

from SRPM:
libjpeg-2.0.8-1.mga8.src.rpm

CVE: (none) => CVE-2021-46822
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Status comment: Patches available from upstream and Ubuntu => (none)

Comment 4 David Walser 2022-09-26 14:10:56 CEST
Are you sure?  It wasn't in the list of commits between 2.0.7 and 2.0.8.
Comment 5 Nicolas Salguero 2022-09-26 14:24:31 CEST
I found this commit: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/5b56c7f80817955daa60d8b60644d0a5a0caa90a, which corresponds to https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2 and dates before release of version 2.0.7 so I think not only 2.0.8 is not affected but also version 2.0.7.
Comment 6 Herman Viaene 2022-09-26 16:17:58 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Tests as in bug 30500 Comment 1.
$ wrjpgcom -comment "Experimental comment for  QA"    D053.jpg  > withcomment.jpg
$ ls -als
total 356
  4 drwxr-xr-x 2 tester8 tester8   4096 Sep 26 15:55 ./
  4 drwxr-xr-x 4 tester8 tester8   4096 Sep 26 15:53 ../
124 -rw-r--r-- 1 tester8 tester8 125795 Oct 18  2017 D053.jpg
100 -rw-r--r-- 1 tester8 tester8  99741 Oct 18  2017 D078.jpg
124 -rw-r--r-- 1 tester8 tester8 125827 Sep 26 15:55 withcomment.jpg
[tester8@mach7 19761105TrouwLodeNoella]$ rdjpgcom withcomment.jpg
Experimental comment for  QA
$ jpegtran -flip horizontal D078.jpg > flipped.jpg
$ ls
D053.jpg  D078.jpg  flipped.jpg  withcomment.jpg
In other folder
$ jpegtran -flip vertical  P2061409.JPG > upsidedown.jpg
$ ls
blad.odg       P2061410.JPG*  P2061412.JPG*  P2061414.JPG*  P2061416.JPG*  P2061418.JPG*  upsidedown.jpg
P2061409.JPG*  P2061411.JPG*  P2061413.JPG*  P2061415.JPG*  P2061417.JPG*  P2061419.JPG*
Switching folders
$ jpegtran -transpose  D053.jpg  > work1.jpg
$ jpegtran -transverse D053.jpg > work2.jpg
$ jpegtran -grayscale   P2061409.JPG > greyscale.jpg
$ jpegtran -perfect -rotate 90 work1.jpg > work3.jpg
jpegtran: transformation is not perfect
The resulting file is not a valid image file
$ jpegtran -rotate 90 work1.jpg > work3.jpg
$ jpegtran -crop 800x640+300+200  D053.jpg > work4.jpg

All resulting files look OK as images.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2022-09-28 04:57:02 CEST
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-01 17:01:48 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-10-01 19:50:07 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0353.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.