Bug 6928 - libjpeg new security issue CVE-2012-2806
: libjpeg new security issue CVE-2012-2806
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/509206/
: MGA1TOO has_procedure MGA1-32-OK MGA2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-01 22:23 CEST by David Walser
Modified: 2012-08-06 19:19 CEST (History)
4 users (show)

See Also:
Source RPM: libjpeg-1.2.0-4.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-08-01 22:23:07 CEST
OpenSuSE has issued an advisory today (August 1):
http://lists.opensuse.org/opensuse-updates/2012-08/msg00002.html

Cauldron is not vulnerable as it was fixed upstream in 1.2.1.

Patches packages uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated libjpeg packages fix security vulnerability:

A Heap-based buffer overflow was found in the way libjpeg-turbo
decompressed certain corrupt JPEG images in which the component count
was erroneously set to a large value. An attacker could create a
specially-crafted JPEG image that, when opened, could cause an
application using libpng to crash or, possibly, execute arbitrary code
with the privileges of the user running the application (CVE-2012-2806).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2806
http://lists.opensuse.org/opensuse-updates/2012-08/msg00002.html
========================

Updated packages in core/updates_testing:
========================
libjpeg62-6b-49.1.mga1
libjpeg62-devel-6b-49.1.mga1
libjpeg62-static-devel-6b-49.1.mga1
jpeg6-progs-6b-49.1.mga1
libjpeg8-8b-5.1.mga1
libjpeg-devel-8b-5.1.mga1
libjpeg-static-devel-8b-5.1.mga1
jpeg-progs-8b-5.1.mga1
libjpeg8-1.2.0-4.1.mga2
libjpeg62-1.2.0-4.1.mga2
libjpeg-devel-1.2.0-4.1.mga2
libjpeg-static-devel-1.2.0-4.1.mga2
jpeg-progs-1.2.0-4.1.mga2

from SRPMS:
libjpeg6-6b-49.1.mga1.src.rpm
libjpeg-8b-5.1.mga1.src.rpm
libjpeg-1.2.0-4.1.mga2.src.rpm
Comment 1 David Walser 2012-08-01 23:53:35 CEST
Mandriva has also issued an advisory for this:
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:121
Comment 2 claire robinson 2012-08-03 18:36:01 CEST
There are several different versions here, so several libs to test.

Mageia 1
--------
For lib(64)jpeg6 use some of the utilities from the jpeg6-progs package.

To get a list of those use:
$ urpmf jpeg6-progs | grep bin

For lib(64)jpeg8:
You can use any/many of the programs you find with:
$ urpmq --whatrequires lib64jpeg8

Check they seem to work OK with jpegs, you can also show it is using the library with strace by for example, using graphicsmagick to display a jpeg image..

$ strace -o strace.out gm display thumbnail.jpg 
$ grep jpeg strace.out

You should see a line like this..

open("/usr/lib64/libjpeg.so.8", O_RDONLY) = 4

Also there is a jpeg-progs package which appears to use this lib so use urpmf to find the executables for that as before, as an alternative.

Mageia 2
--------
jpeg-progs uses lib(64)jpeg8 so they can be used for testing that one, or any/many of the programs found with urpmq --whatrequires as for Mageia 1.

lib(64)jpeg62 is a difficult one as it's not required by anything. Unless there is a better way then just test it can be updated without any errors.
Comment 3 Samuel Verschelde 2012-08-04 09:15:06 CEST
Testing Mageia 1 32 complete.

--- libjpeg62 ---
After installing jpeg6-progs:

# convert bmp to jpeg, in grayscale
cjpeg -grayscale -verbose test.bmp > test.jpg
gm display test.jpg
# convert jpeg to bmp
djpeg -verbose test.jpg > test2.bmp
gm display test2.bmp
# rotate a jpeg
jpegtran -rotate 90 test.jpg > test2.jpg
gm display test2.jpg

--- libjpeg8 ---
[samuel@localhost Téléchargements]$ strace -o strace.out gm display test.JPG
[samuel@localhost Téléchargements]$ grep jpeg strace.out
access("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.la", R_OK) = 0
open("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.la", O_RDONLY|O_LARGEFILE) = 4
read(4, "# jpeg.la - a libtool library fi"..., 4096) = 1152
open("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.so", O_RDONLY) = 4
open("/usr/lib/libjpeg.so.8", O_RDONLY) = 4

and also, after installing jpeg-progs instead of jpeg6-progs

# convert bmp to jpeg, in grayscale
cjpeg -grayscale -verbose test.bmp > test.jpg
gm display test.jpg
# convert jpeg to bmp
djpeg -verbose test.jpg > test2.bmp
gm display test2.bmp
# rotate a jpeg
jpegtran -rotate 90 test.jpg > test2.jpg
gm display test2.jpg


and optionally, for some fun

check that xmoto works well
Comment 4 Samuel Verschelde 2012-08-04 09:28:43 CEST
(In reply to comment #0)
> Updated libjpeg packages fix security vulnerability:
> [...]
> application using libpng to crash

@David Walser: libpng, really? :)
Comment 5 Samuel Verschelde 2012-08-04 09:40:59 CEST
Testing complete on Mageia 2 32 using same steps as comment #3 for libjpeg8 (including xmoto :))
Comment 6 Stefano Negro 2012-08-04 10:53:07 CEST
Loaded jpeg-progs and GraphicsMagick

With gm :
# strace -o strace.out gm display /home/mornot/thumbnail.jpg

# grep jpeg strace.out
access("/usr/lib64/GraphicsMagick-1.3.13/modules-Q8/coders/jpeg.so", R_OK) = 0
open("/usr/lib64/GraphicsMagick-1.3.13/modules-Q8/coders/jpeg.so", O_RDONLY) = 4
open("/usr/lib64/libjpeg.so.8", O_RDONLY) = 4

With jpeg-progs
# djpeg -verbose thumbnail.jpg > thumbnail.bmp
libjpeg-turbo version 1.2.0 (build 20120801)
Copyright (C) 1991-2010 Thomas G. Lane, Guido Vollbeding
Copyright (C) 1999-2006 MIYASAKA Masaru
Copyright (C) 2009 Pierre Ossman for Cendio AB
Copyright (C) 2009-2012 D. R. Commander
Copyright (C) 2009-2011 Nokia Corporation and/or its subsidiary(-ies)

Emulating The Independent JPEG Group's libjpeg, version 8b  16-May-2010

Start of Image
JFIF APP0 marker: version 1.01, density 1x1  0
Define Quantization Table 0  precision 0
Define Quantization Table 1  precision 0
Start Of Frame 0xc0: width=244, height=207, components=3
    Component 1: 2hx2v q=0
    Component 2: 1hx1v q=1
    Component 3: 1hx1v q=1
Define Huffman Table 0x00
Define Huffman Table 0x10
Define Huffman Table 0x01
Define Huffman Table 0x11
Start Of Scan: 3 components
    Component 1: dc=0 ac=0
    Component 2: dc=1 ac=1
    Component 3: dc=1 ac=1
  Ss=0, Se=63, Ah=0, Al=0
End Of Image

# cjpeg -grayscale -verbose thumbnail.bmp > thumbnail2.jpg
libjpeg-turbo version 1.2.0 (build 20120801)
Copyright (C) 1991-2010 Thomas G. Lane, Guido Vollbeding
Copyright (C) 1999-2006 MIYASAKA Masaru
Copyright (C) 2009 Pierre Ossman for Cendio AB
Copyright (C) 2009-2012 D. R. Commander
Copyright (C) 2009-2011 Nokia Corporation and/or its subsidiary(-ies)

Emulating The Independent JPEG Group's libjpeg, version 8b  16-May-2010

244x207 PPM image

#gm display /home/mornot/thumbnail.bmp  (ok)

# jpegtran -rotate 90 thumbnail.jpg > thumbnail3.jpg
# gm display thumbnail3.jpg  (ok)

Xmoto.... it works !
Comment 7 Samuel Verschelde 2012-08-04 11:14:34 CEST
Testing Mageia 1 64 bits complete.

Updating my procedure to fix a naming error (bmp instead of pgm), resulting in gwenview being unable to read the test2.bmp file.


Testing Mageia 1 32 complete.

--- libjpeg62 ---
After installing jpeg6-progs:

# convert bmp to jpeg, in grayscale
cjpeg -grayscale -verbose test.bmp > test.jpg
gm display test.jpg
# convert jpeg to bmp
djpeg -verbose test.jpg > test2.pgm
gm display test2.pgm
# rotate a jpeg
jpegtran -rotate 90 test.jpg > test2.jpg
gm display test2.jpg

--- libjpeg8 ---
[samuel@localhost Téléchargements]$ strace -o strace.out gm display test.JPG
[samuel@localhost Téléchargements]$ grep jpeg strace.out
access("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.la", R_OK) = 0
open("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.la",
O_RDONLY|O_LARGEFILE) = 4
read(4, "# jpeg.la - a libtool library fi"..., 4096) = 1152
open("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.so", O_RDONLY) = 4
open("/usr/lib/libjpeg.so.8", O_RDONLY) = 4

and also, after installing jpeg-progs instead of jpeg6-progs

# convert bmp to jpeg, in grayscale
cjpeg -grayscale -verbose test.bmp > test.jpg
gm display test.jpg
# convert jpeg to bmp
djpeg -verbose test.jpg > test2.pgm
gm display test2.pgm
# rotate a jpeg
jpegtran -rotate 90 test.jpg > test2.jpg
gm display test2.jpg


and optionally, for some fun

check that xmoto works well
Comment 8 Samuel Verschelde 2012-08-04 11:15:37 CEST
Update validated. No linking required.

See comment #0 for advisory and RPMS. Just replace "libpng" with "libjpeg" in the advisory, I guess.
Comment 9 David Walser 2012-08-04 14:18:59 CEST
Hehe, that's the way it was written in both Novell and RedHat's bugzilla.  I didn't even notice.

BTW, apparently Mozilla's Bugzilla has a reproducer.  From the discussion it sounds like the Mageia 1 versions may not have been vulnerable...
https://bugzilla.mozilla.org/show_bug.cgi?id=759802
Comment 10 David Walser 2012-08-04 14:40:39 CEST
Unvalidating (sorry!) until QA has a chance to check the reproducer(s) against the /release versions in Mageia 1.
Comment 11 David Walser 2012-08-04 17:08:10 CEST
On second thought, SuSE patched old versions too, and based on the mozilla bug discussion, the patch won't hurt anything even if it's not needed.  QA can still try the reproducers if they want, but this can be validated.
Comment 12 Samuel Verschelde 2012-08-04 18:44:31 CEST
Validating then, if someone wants to try the reproducers, they are more than welcome though.
Comment 13 Thomas Backlund 2012-08-06 19:19:04 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0203

Note You need to log in before you can comment on or make changes to this bug.