OpenSuSE has issued an advisory today (August 1): http://lists.opensuse.org/opensuse-updates/2012-08/msg00002.html Cauldron is not vulnerable as it was fixed upstream in 1.2.1. Patches packages uploaded for Mageia 1 and Mageia 2. Advisory: ======================== Updated libjpeg packages fix security vulnerability: A Heap-based buffer overflow was found in the way libjpeg-turbo decompressed certain corrupt JPEG images in which the component count was erroneously set to a large value. An attacker could create a specially-crafted JPEG image that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application (CVE-2012-2806). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2806 http://lists.opensuse.org/opensuse-updates/2012-08/msg00002.html ======================== Updated packages in core/updates_testing: ======================== libjpeg62-6b-49.1.mga1 libjpeg62-devel-6b-49.1.mga1 libjpeg62-static-devel-6b-49.1.mga1 jpeg6-progs-6b-49.1.mga1 libjpeg8-8b-5.1.mga1 libjpeg-devel-8b-5.1.mga1 libjpeg-static-devel-8b-5.1.mga1 jpeg-progs-8b-5.1.mga1 libjpeg8-1.2.0-4.1.mga2 libjpeg62-1.2.0-4.1.mga2 libjpeg-devel-1.2.0-4.1.mga2 libjpeg-static-devel-1.2.0-4.1.mga2 jpeg-progs-1.2.0-4.1.mga2 from SRPMS: libjpeg6-6b-49.1.mga1.src.rpm libjpeg-8b-5.1.mga1.src.rpm libjpeg-1.2.0-4.1.mga2.src.rpm
Whiteboard: (none) => MGA1TOO
Mandriva has also issued an advisory for this: http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:121
Severity: normal => major
There are several different versions here, so several libs to test. Mageia 1 -------- For lib(64)jpeg6 use some of the utilities from the jpeg6-progs package. To get a list of those use: $ urpmf jpeg6-progs | grep bin For lib(64)jpeg8: You can use any/many of the programs you find with: $ urpmq --whatrequires lib64jpeg8 Check they seem to work OK with jpegs, you can also show it is using the library with strace by for example, using graphicsmagick to display a jpeg image.. $ strace -o strace.out gm display thumbnail.jpg $ grep jpeg strace.out You should see a line like this.. open("/usr/lib64/libjpeg.so.8", O_RDONLY) = 4 Also there is a jpeg-progs package which appears to use this lib so use urpmf to find the executables for that as before, as an alternative. Mageia 2 -------- jpeg-progs uses lib(64)jpeg8 so they can be used for testing that one, or any/many of the programs found with urpmq --whatrequires as for Mageia 1. lib(64)jpeg62 is a difficult one as it's not required by anything. Unless there is a better way then just test it can be updated without any errors.
Hardware: i586 => AllWhiteboard: MGA1TOO => MGA1TOO has_procedure
Testing Mageia 1 32 complete. --- libjpeg62 --- After installing jpeg6-progs: # convert bmp to jpeg, in grayscale cjpeg -grayscale -verbose test.bmp > test.jpg gm display test.jpg # convert jpeg to bmp djpeg -verbose test.jpg > test2.bmp gm display test2.bmp # rotate a jpeg jpegtran -rotate 90 test.jpg > test2.jpg gm display test2.jpg --- libjpeg8 --- [samuel@localhost Téléchargements]$ strace -o strace.out gm display test.JPG [samuel@localhost Téléchargements]$ grep jpeg strace.out access("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.la", R_OK) = 0 open("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.la", O_RDONLY|O_LARGEFILE) = 4 read(4, "# jpeg.la - a libtool library fi"..., 4096) = 1152 open("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.so", O_RDONLY) = 4 open("/usr/lib/libjpeg.so.8", O_RDONLY) = 4 and also, after installing jpeg-progs instead of jpeg6-progs # convert bmp to jpeg, in grayscale cjpeg -grayscale -verbose test.bmp > test.jpg gm display test.jpg # convert jpeg to bmp djpeg -verbose test.jpg > test2.bmp gm display test2.bmp # rotate a jpeg jpegtran -rotate 90 test.jpg > test2.jpg gm display test2.jpg and optionally, for some fun check that xmoto works well
CC: (none) => stormiWhiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure MGA1-32-OK
(In reply to comment #0) > Updated libjpeg packages fix security vulnerability: > [...] > application using libpng to crash @David Walser: libpng, really? :)
Testing complete on Mageia 2 32 using same steps as comment #3 for libjpeg8 (including xmoto :))
Whiteboard: MGA1TOO has_procedure MGA1-32-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK
Loaded jpeg-progs and GraphicsMagick With gm : # strace -o strace.out gm display /home/mornot/thumbnail.jpg # grep jpeg strace.out access("/usr/lib64/GraphicsMagick-1.3.13/modules-Q8/coders/jpeg.so", R_OK) = 0 open("/usr/lib64/GraphicsMagick-1.3.13/modules-Q8/coders/jpeg.so", O_RDONLY) = 4 open("/usr/lib64/libjpeg.so.8", O_RDONLY) = 4 With jpeg-progs # djpeg -verbose thumbnail.jpg > thumbnail.bmp libjpeg-turbo version 1.2.0 (build 20120801) Copyright (C) 1991-2010 Thomas G. Lane, Guido Vollbeding Copyright (C) 1999-2006 MIYASAKA Masaru Copyright (C) 2009 Pierre Ossman for Cendio AB Copyright (C) 2009-2012 D. R. Commander Copyright (C) 2009-2011 Nokia Corporation and/or its subsidiary(-ies) Emulating The Independent JPEG Group's libjpeg, version 8b 16-May-2010 Start of Image JFIF APP0 marker: version 1.01, density 1x1 0 Define Quantization Table 0 precision 0 Define Quantization Table 1 precision 0 Start Of Frame 0xc0: width=244, height=207, components=3 Component 1: 2hx2v q=0 Component 2: 1hx1v q=1 Component 3: 1hx1v q=1 Define Huffman Table 0x00 Define Huffman Table 0x10 Define Huffman Table 0x01 Define Huffman Table 0x11 Start Of Scan: 3 components Component 1: dc=0 ac=0 Component 2: dc=1 ac=1 Component 3: dc=1 ac=1 Ss=0, Se=63, Ah=0, Al=0 End Of Image # cjpeg -grayscale -verbose thumbnail.bmp > thumbnail2.jpg libjpeg-turbo version 1.2.0 (build 20120801) Copyright (C) 1991-2010 Thomas G. Lane, Guido Vollbeding Copyright (C) 1999-2006 MIYASAKA Masaru Copyright (C) 2009 Pierre Ossman for Cendio AB Copyright (C) 2009-2012 D. R. Commander Copyright (C) 2009-2011 Nokia Corporation and/or its subsidiary(-ies) Emulating The Independent JPEG Group's libjpeg, version 8b 16-May-2010 244x207 PPM image #gm display /home/mornot/thumbnail.bmp (ok) # jpegtran -rotate 90 thumbnail.jpg > thumbnail3.jpg # gm display thumbnail3.jpg (ok) Xmoto.... it works !
CC: (none) => stblackWhiteboard: MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK MGA2-64-OK
Testing Mageia 1 64 bits complete. Updating my procedure to fix a naming error (bmp instead of pgm), resulting in gwenview being unable to read the test2.bmp file. Testing Mageia 1 32 complete. --- libjpeg62 --- After installing jpeg6-progs: # convert bmp to jpeg, in grayscale cjpeg -grayscale -verbose test.bmp > test.jpg gm display test.jpg # convert jpeg to bmp djpeg -verbose test.jpg > test2.pgm gm display test2.pgm # rotate a jpeg jpegtran -rotate 90 test.jpg > test2.jpg gm display test2.jpg --- libjpeg8 --- [samuel@localhost Téléchargements]$ strace -o strace.out gm display test.JPG [samuel@localhost Téléchargements]$ grep jpeg strace.out access("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.la", R_OK) = 0 open("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.la", O_RDONLY|O_LARGEFILE) = 4 read(4, "# jpeg.la - a libtool library fi"..., 4096) = 1152 open("/usr/lib/GraphicsMagick-1.3.12/modules-Q8/coders/jpeg.so", O_RDONLY) = 4 open("/usr/lib/libjpeg.so.8", O_RDONLY) = 4 and also, after installing jpeg-progs instead of jpeg6-progs # convert bmp to jpeg, in grayscale cjpeg -grayscale -verbose test.bmp > test.jpg gm display test.jpg # convert jpeg to bmp djpeg -verbose test.jpg > test2.pgm gm display test2.pgm # rotate a jpeg jpegtran -rotate 90 test.jpg > test2.jpg gm display test2.jpg and optionally, for some fun check that xmoto works well
Whiteboard: MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK MGA2-64-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-32-OK MGA2-64-OK MGA1-64-OK
Update validated. No linking required. See comment #0 for advisory and RPMS. Just replace "libpng" with "libjpeg" in the advisory, I guess.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Hehe, that's the way it was written in both Novell and RedHat's bugzilla. I didn't even notice. BTW, apparently Mozilla's Bugzilla has a reproducer. From the discussion it sounds like the Mageia 1 versions may not have been vulnerable... https://bugzilla.mozilla.org/show_bug.cgi?id=759802
Unvalidating (sorry!) until QA has a chance to check the reproducer(s) against the /release versions in Mageia 1.
Keywords: validated_update => (none)
On second thought, SuSE patched old versions too, and based on the mozilla bug discussion, the patch won't hurt anything even if it's not needed. QA can still try the reproducers if they want, but this can be validated.
Validating then, if someone wants to try the reproducers, they are more than welcome though.
Keywords: (none) => validated_update
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0203
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED