Ubuntu has issued an advisory on September 22: https://ubuntu.com/security/notices/USN-5631-1 The issue is fixed upstream in 2.1.0. The fix isn't included in 2.0.8, but we should also update it to that: https://github.com/libjpeg-turbo/libjpeg-turbo/releases/tag/2.0.8-esr https://github.com/libjpeg-turbo/libjpeg-turbo/blob/2.0.8-esr/ChangeLog.md
Status comment: (none) => Patches available from upstream and Ubuntu
Once again assigning this to NicolasS who did the last CVE update on this pkg. No other individual packager 'visible'.
Assignee: bugsquad => nicolas.salguero
(In reply to David Walser from comment #0) > The fix isn't included in 2.0.8, but we should also update it to that: In fact, after comparing the patch and the code in version 2.0.8, I can say that the patch is included.
CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerability: The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c. (CVE-2021-46822) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46822 https://ubuntu.com/security/notices/USN-5631-1 https://github.com/libjpeg-turbo/libjpeg-turbo/blob/2.0.8-esr/ChangeLog.md ======================== Updated packages in core/updates_testing: ======================== jpeg-progs-2.0.8-1.mga8 lib(64)jpeg62-2.0.8-1.mga8 lib(64)jpeg8-2.0.8-1.mga8 lib(64)jpeg-devel-2.0.8-1.mga8 lib(64)jpeg-static-devel-2.0.8-1.mga8 lib(64)turbojpeg0-2.0.8-1.mga8 from SRPM: libjpeg-2.0.8-1.mga8.src.rpm
CVE: (none) => CVE-2021-46822Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugsStatus comment: Patches available from upstream and Ubuntu => (none)
Are you sure? It wasn't in the list of commits between 2.0.7 and 2.0.8.
I found this commit: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/5b56c7f80817955daa60d8b60644d0a5a0caa90a, which corresponds to https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2 and dates before release of version 2.0.7 so I think not only 2.0.8 is not affected but also version 2.0.7.
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Tests as in bug 30500 Comment 1. $ wrjpgcom -comment "Experimental comment for QA" D053.jpg > withcomment.jpg $ ls -als total 356 4 drwxr-xr-x 2 tester8 tester8 4096 Sep 26 15:55 ./ 4 drwxr-xr-x 4 tester8 tester8 4096 Sep 26 15:53 ../ 124 -rw-r--r-- 1 tester8 tester8 125795 Oct 18 2017 D053.jpg 100 -rw-r--r-- 1 tester8 tester8 99741 Oct 18 2017 D078.jpg 124 -rw-r--r-- 1 tester8 tester8 125827 Sep 26 15:55 withcomment.jpg [tester8@mach7 19761105TrouwLodeNoella]$ rdjpgcom withcomment.jpg Experimental comment for QA $ jpegtran -flip horizontal D078.jpg > flipped.jpg $ ls D053.jpg D078.jpg flipped.jpg withcomment.jpg In other folder $ jpegtran -flip vertical P2061409.JPG > upsidedown.jpg $ ls blad.odg P2061410.JPG* P2061412.JPG* P2061414.JPG* P2061416.JPG* P2061418.JPG* upsidedown.jpg P2061409.JPG* P2061411.JPG* P2061413.JPG* P2061415.JPG* P2061417.JPG* P2061419.JPG* Switching folders $ jpegtran -transpose D053.jpg > work1.jpg $ jpegtran -transverse D053.jpg > work2.jpg $ jpegtran -grayscale P2061409.JPG > greyscale.jpg $ jpegtran -perfect -rotate 90 work1.jpg > work3.jpg jpegtran: transformation is not perfect The resulting file is not a valid image file $ jpegtran -rotate 90 work1.jpg > work3.jpg $ jpegtran -crop 800x640+300+200 D053.jpg > work4.jpg All resulting files look OK as images.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0353.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED