openSUSE has issued an advisory on November 28: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/MKE5FX6CYNU67TGCF7WUASGPHZHN5WQC/ Fixes: https://github.com/libjxl/libjxl/commit/9cc451b91b74ba470fd72bd48c121e9f33d24c99 (CVE-2024-11403) https://github.com/libjxl/libjxl/commit/bf4781a2eed2eef664790170977d1d3d8347efb9 (CVE-2024-11498)
Source RPM: (none) => libjxl-0.10.3-1.mga10.src.rpm, libjxl-0.7.0-6.mga9.src.rpmWhiteboard: (none) => MGA9TOOStatus comment: (none) => Patches available from upstreamCVE: (none) => CVE-2024-11403, CVE-2024-11498
Thanks for the patch URLs. Assigning directly to you, David, as you have been maintaining this pkg for a long time.
Assignee: bugsquad => geiger.david68210
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Out of Bounds Memory Read/Write in libjxl. (CVE-2024-11403) Resource exhaustion via Stack overflow in libjxl. (CVE-2024-11498) References: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/MKE5FX6CYNU67TGCF7WUASGPHZHN5WQC/ ======================== Updated packages in core/updates_testing: ======================== gimp-plugin-jxl-0.7.2-1.mga9 lib(64)jxl0.7-0.7.2-1.mga9 lib(64)jxl-devel-0.7.2-1.mga9 lib(64)jxl_threads0.7-0.7.2-1.mga9 libjxl-tools-0.7.2-1.mga9 from SRPM: libjxl-0.7.2-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Status: NEW => ASSIGNEDStatus comment: Patches available from upstream => (none)Source RPM: libjxl-0.10.3-1.mga10.src.rpm, libjxl-0.7.0-6.mga9.src.rpm => libjxl-0.7.0-6.mga9.src.rpmAssignee: geiger.david68210 => qa-bugs
Version: Cauldron => 9
Installed and tested without issues. Tested: - Tested on a bunch of existing images (jxl, jpeg, png, gif) - gimp plugin (open/save); - jxlinfo on multiple images; - cjxl from jpeg (lossless) then djxl to jpeg, lossless confirmed; - cjxl from png (lossless) then djxl to png, lossless confirmed; - cjxl lossy from jpeg, png, gif, ppm. - djxl to jpeg, png, gif, ppm; All OK. System: Mageia 9, x86_64, AMD Ryzen 5 5600G with Radeon Graphics. $ uname -a Linux jupiter 6.6.65-desktop-2.mga9 #1 SMP PREEMPT_DYNAMIC Thu Dec 12 12:42:26 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep jxl | sort gimp-plugin-jxl-0.7.2-1.mga9 lib64jxl0.7-0.7.2-1.mga9 lib64jxl_threads0.7-0.7.2-1.mga9 libjxl-tools-0.7.2-1.mga9
CC: (none) => mageia
MGA9-64 Plasma Wayland on Compaq H000SB No installation issues. Never used this before, no previous update, so decided to throw some files at the benchmark_xl command. Tried a few RAW files, that ended in $ benchmark_xl --input P7212389.ORF benchmark_xl v0.7.2 [SSE4,SSSE3,Unknown] 2 total threads, 1 tasks, 0 threads, 2 inner threads Failed to load image P7212389.ORF Error in jxl codec ./tools/benchmark/benchmark_xl.cc:129: JXL_CHECK: speed_stats.GetSummary(&summary) Illegal instruction (core dumped) but a regular jpg file $ benchmark_xl --input D053.jpg benchmark_xl v0.7.2 [SSE4,SSSE3,Unknown] 2 total threads, 1 tasks, 0 threads, 2 inner threads ``` D053.jpg Encoding kPixels Bytes BPP E MP/s D MP/s Max norm pnorm BPP*pnorm Bugs ------------------------------------------------------------------------------------------------------------ jxl 1636 149770 0.7323143 0.364 5.573 1.17285895 0.41383811 0.303059582089 0 Aggregate: 1636 149770 0.7323143 0.364 5.573 1.17285895 0.41383811 0.303059582089 0 ``` Allocations: 1691 (max bytes in use: 3.674140E+08) Looks OK. The outcome with the raw file is somewhat less than desirable, but in view of other test above, this is good enough to go
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
Keywords: (none) => advisory
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0008.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED