Fedora has issued an advisory today (April 4): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/66ZW65INCWSQYIT5E6N6I6PE5D7R6EK7/ The issue is fixed upstream in 1.5.3. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.5.3Whiteboard: (none) => MGA8TOO
Assigning to our registered jpegoptim maintainer
CC: (none) => marja11Assignee: bugsquad => dan
jpegoptim-1.5.3-1.mga9 is available in updates_testing in Cauldron with an outstanding move request to mga9. jpegoptim-1.5.1-1.1.mga8 is available in updates_testing in mga8. Generic regression test procedure: 1. cp /usr/share/doc/HTML/en/common/top-kde.jpg /tmp # or another suitable JPEG file 2. jpegoptim -tv /tmp/top-kde.jpg 3. display /tmp/top-kde.jpg # or another image viewing program The result should be no error messages shown and a visible image that matches the original. Security fix test procedure: 1. sudo urpmi curl valgrind 2. curl -RLo /tmp/poc.jpg https://github.com/blu3sh0rk/Fuzzing-crash/raw/main/jpegoptim/stdout-heapoverflow 3. valgrind jpegoptim --stdout /tmp/poc.jpg >/tmp/out valgrind will show "Invalid read" and "write(buf) points to uninitialised byte(s)" errors on a vulnerable jpegoptim (e.g. jpegoptim-1.5.1-1.mga8) and no errors on a fixed jpegoptim (e.g. jpegoptim-1.5.1-1.1.mga8).
Whiteboard: MGA8TOO => MGA8TOO has_procedureCC: (none) => danAssignee: dan => qa-bugs
Suggested advisory: ======================== Updated jpegoptim packages fix a security vulnerability. A heap-buffer-overflow can occur when processing a corrupted JPEG image file. References: https://bugs.mageia.org/show_bug.cgi?id=31764 https://github.com/tjko/jpegoptim/issues/132 https://nvd.nist.gov/vuln/detail/CVE-2023-27781 ======================== Updated packages in core/updates_testing: ======================== jpegoptim-1.5.1-1.1.mga8 Source RPMs: jpegoptim-1.5.1-1.1.mga8.src.rpm
Status comment: Fixed upstream in 1.5.3 => (none)Whiteboard: MGA8TOO has_procedure => (none)Version: Cauldron => 8Keywords: (none) => has_procedure
David, I noticed you moved has_procedure from Whiteboard to Keywords. Does that mean https://wiki.mageia.org/en/QA_whiteboard_keywords needs to be changed?
Yes, thank you for catching that.
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Following lead above. $ cd Pictures/19761105TrouwLodeNoella/ $ cp D053.jpg /tmp $ jpegoptim -tv /tmp/D053.jpg Using maximum of 1 parallel threads /tmp/D053.jpg 1656x988 24bit N JFIF [OK] 125813 --> 116929 bytes (7.06%), optimized. Average compression (1 files): 7.06% (total saved 9k) Checked file sizes: original 125kb, optimized 116kb $ display /tmp/D053.jpg $ display D053.jpg Both files display OK, no visible differences. Good to go.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0143.html
Status: NEW => RESOLVEDResolution: (none) => FIXED