Your message dated Thu, 19 Nov 2020 20:46:17 +0000
with message-id <[email protected]>
and subject line Bug#924678: fixed in libjpeg-turbo 1:1.5.2-2+deb10u1
has caused the Debian Bug report #924678,
regarding libjpeg-turbo: CVE-2018-14498: denial of service in get_8bit_row in
rdbmp.c
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
924678: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924678
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libjpeg-turbo
Version: 1:1.5.2-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258
Hi,
The following vulnerability was published for libjpeg-turbo.
CVE-2018-14498[0]:
| get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG
| through 3.3.1 allows attackers to cause a denial of service (heap-based
| buffer over-read and application crash) via a crafted 8-bit BMP in
| which one or more of the color indices is out of range for the number
| of palette entries.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Build with ASAN one sees the issue as
$ ASAN_OPTIONS="detect_leaks=0" ./cjpeg -outfile /dev/null ~/CVE-2018-14498
=================================================================
==31997==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60d0000000d3 at pc 0x56029bfc9ff7 bp 0x7ffe52f5e400 sp 0x7ffe52f5e3f8
READ of size 1 at 0x60d0000000d3 thread T0
#0 0x56029bfc9ff6 in get_8bit_row /tmp/libjpeg-turbo-1.5.2/rdbmp.c:145
#1 0x56029bfcaf1b in preload_image /tmp/libjpeg-turbo-1.5.2/rdbmp.c:270
#2 0x56029bfc3c40 in main /tmp/libjpeg-turbo-1.5.2/cjpeg.c:616
#3 0x7f8be200109a in __libc_start_main ../csu/libc-start.c:308
#4 0x56029bfc1359 in _start (/tmp/libjpeg-turbo-1.5.2/.libs/cjpeg+0x5359)
0x60d0000000d3 is located 12 bytes to the right of 135-byte region
[0x60d000000040,0x60d0000000c7)
allocated by thread T0 here:
#0 0x7f8be23d6350 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9350)
#1 0x7f8be229b437 in jpeg_get_large /tmp/libjpeg-turbo-1.5.2/jmemnobs.c:56
#2 0x7f8be2296e9f in alloc_large /tmp/libjpeg-turbo-1.5.2/jmemmgr.c:393
#3 0x7f8be22971fc in alloc_sarray /tmp/libjpeg-turbo-1.5.2/jmemmgr.c:477
#4 0x56029bfcce5a in start_input_bmp /tmp/libjpeg-turbo-1.5.2/rdbmp.c:401
#5 0x56029bfc3b5d in main /tmp/libjpeg-turbo-1.5.2/cjpeg.c:595
#6 0x7f8be200109a in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow
/tmp/libjpeg-turbo-1.5.2/rdbmp.c:145 in get_8bit_row
Shadow bytes around the buggy address:
0x0c1a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1a7fff8010: 00 00 00 00 00 00 00 00 07 fa[fa]fa fa fa fa fa
0x0c1a7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31997==ABORTING
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-14498
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14498
[1] https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258
Please adjust the affected versions in the BTS as needed.
Attaching a preliminary backported patch which should apply on top of 1:1.5.2-2
(not yet checked it is fully correct backport).
Regards,
Salvatore
From: DRC <[email protected]>
Date: Fri, 20 Jul 2018 17:21:36 -0500
Subject: cjpeg: Fix OOB read caused by malformed 8-bit BMP
Origin:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-14498
Bug: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258
... in which one or more of the color indices is out of range for the
number of palette entries.
Fix partly borrowed from jpeg-9c. This commit also adopts Guido's
JERR_PPM_OUTOFRANGE enum value in lieu of our project-specific
JERR_PPM_TOOLARGE enum value.
Fixes #258
---
ChangeLog.md | 5 +++++
cderror.h | 5 +++--
rdbmp.c | 13 ++++++++++++-
rdppm.c | 12 ++++++------
4 files changed, 26 insertions(+), 9 deletions(-)
--- a/cderror.h
+++ b/cderror.h
@@ -49,6 +49,7 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP outpu
JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported")
JMESSAGE(JERR_BMP_EMPTY, "Empty BMP image")
JMESSAGE(JERR_BMP_NOT, "Not a BMP file - does not start with BM")
+JMESSAGE(JERR_BMP_OUTOFRANGE, "Numeric value out of range in BMP file")
JMESSAGE(JTRC_BMP, "%ux%u 24-bit BMP image")
JMESSAGE(JTRC_BMP_MAPPED, "%ux%u 8-bit colormapped BMP image")
JMESSAGE(JTRC_BMP_OS2, "%ux%u 24-bit OS2 BMP image")
@@ -75,8 +76,8 @@ JMESSAGE(JWRN_GIF_NOMOREDATA, "Ran out o
#ifdef PPM_SUPPORTED
JMESSAGE(JERR_PPM_COLORSPACE, "PPM output must be grayscale or RGB")
JMESSAGE(JERR_PPM_NONNUMERIC, "Nonnumeric data in PPM file")
-JMESSAGE(JERR_PPM_TOOLARGE, "Integer value too large in PPM file")
JMESSAGE(JERR_PPM_NOT, "Not a PPM/PGM file")
+JMESSAGE(JERR_PPM_OUTOFRANGE, "Numeric value out of range in PPM file")
JMESSAGE(JTRC_PGM, "%ux%u PGM image")
JMESSAGE(JTRC_PGM_TEXT, "%ux%u text PGM image")
JMESSAGE(JTRC_PPM, "%ux%u PPM image")
--- a/rdbmp.c
+++ b/rdbmp.c
@@ -66,6 +66,7 @@ typedef struct _bmp_source_struct {
JDIMENSION row_width; /* Physical width of scanlines in file */
int bits_per_pixel; /* remembers 8- or 24-bit format */
+ int cmap_length; /* colormap length */
} bmp_source_struct;
@@ -126,6 +127,7 @@ get_8bit_row (j_compress_ptr cinfo, cjpe
{
bmp_source_ptr source = (bmp_source_ptr) sinfo;
register JSAMPARRAY colormap = source->colormap;
+ int cmaplen = source->cmap_length;
JSAMPARRAY image_ptr;
register int t;
register JSAMPROW inptr, outptr;
@@ -142,6 +144,8 @@ get_8bit_row (j_compress_ptr cinfo, cjpe
outptr = source->pub.buffer[0];
for (col = cinfo->image_width; col > 0; col--) {
t = GETJSAMPLE(*inptr++);
+ if (t >= cmaplen)
+ ERREXIT(cinfo, JERR_BMP_OUTOFRANGE);
*outptr++ = colormap[0][t]; /* can omit GETJSAMPLE() safely */
*outptr++ = colormap[1][t];
*outptr++ = colormap[2][t];
@@ -401,6 +405,7 @@ start_input_bmp (j_compress_ptr cinfo, c
source->colormap = (*cinfo->mem->alloc_sarray)
((j_common_ptr) cinfo, JPOOL_IMAGE,
(JDIMENSION) biClrUsed, (JDIMENSION) 3);
+ source->cmap_length = (int)biClrUsed;
/* and read it from the file */
read_colormap(source, (int) biClrUsed, mapentrysize);
/* account for size of colormap */
--- a/rdppm.c
+++ b/rdppm.c
@@ -69,7 +69,7 @@ typedef struct {
JSAMPROW pixrow; /* compressor input buffer */
size_t buffer_width; /* width of I/O buffer */
JSAMPLE *rescale; /* => maxval-remapping array, or NULL */
- int maxval;
+ unsigned int maxval;
} ppm_source_struct;
typedef ppm_source_struct *ppm_source_ptr;
@@ -119,7 +119,7 @@ read_pbm_integer (j_compress_ptr cinfo,
}
if (val > maxval)
- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
+ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
return val;
}
@@ -255,7 +255,7 @@ get_word_gray_row (j_compress_ptr cinfo,
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
if (temp > maxval)
- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
+ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
*ptr++ = rescale[temp];
}
return 1;
@@ -282,17 +282,17 @@ get_word_rgb_row (j_compress_ptr cinfo,
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
if (temp > maxval)
- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
+ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
*ptr++ = rescale[temp];
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
if (temp > maxval)
- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
+ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
*ptr++ = rescale[temp];
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
if (temp > maxval)
- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
+ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
*ptr++ = rescale[temp];
}
return 1;
--- End Message ---
--- Begin Message ---
Source: libjpeg-turbo
Source-Version: 1:1.5.2-2+deb10u1
Done: =?utf-8?q?Moritz_M=C3=BChlenhoff?= <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libjpeg-turbo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated libjpeg-turbo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 07 Oct 2020 22:25:43 +0200
Source: libjpeg-turbo
Binary: libjpeg-dev libjpeg-turbo-progs libjpeg-turbo-progs-dbgsym
libjpeg62-turbo libjpeg62-turbo-dbgsym libjpeg62-turbo-dev libturbojpeg0
libturbojpeg0-dbgsym libturbojpeg0-dev
Architecture: source all amd64
Version: 1:1.5.2-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Ondřej Surý <[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Description:
libjpeg-dev - Development files for the JPEG library [dummy package]
libjpeg-turbo-progs - Programs for manipulating JPEG files
libjpeg62-turbo - libjpeg-turbo JPEG runtime library
libjpeg62-turbo-dev - Development files for the libjpeg-turbo JPEG library
libturbojpeg0 - TurboJPEG runtime library - SIMD optimized
libturbojpeg0-dev - Development files for the TurboJPEG library
Closes: 902950 924678 962829
Changes:
libjpeg-turbo (1:1.5.2-2+deb10u1) buster; urgency=medium
.
* CVE-2018-1152 (Closes: #902950)
* CVE-2018-14498 (Closes: #924678)
* CVE-2019-2201
* CVE-2020-13790 (Closes: #962829)
Checksums-Sha1:
15a0c246423966696bcf924e2ee0359b649de68c 2336 libjpeg-turbo_1.5.2-2+deb10u1.dsc
ce95d4943e0c5ad3a235d945695b89e5476f2a02 83360
libjpeg-turbo_1.5.2-2+deb10u1.debian.tar.xz
cb7f5879ac1a956ef1e76fecb31d7bca5a22d1ba 57724
libjpeg-dev_1.5.2-2+deb10u1_all.deb
e12f53f34c815bedceb242829745d63233b1efb9 218580
libjpeg-turbo-progs-dbgsym_1.5.2-2+deb10u1_amd64.deb
3e449fa1accbd0de93b219e6576847249771b58c 115932
libjpeg-turbo-progs_1.5.2-2+deb10u1_amd64.deb
cbaf2e101c057422602db365a87c69f95fec1feb 7962
libjpeg-turbo_1.5.2-2+deb10u1_amd64.buildinfo
08aa3302af59db5df5699c584ddafda3e18f79b1 379284
libjpeg62-turbo-dbgsym_1.5.2-2+deb10u1_amd64.deb
10635ed209801ce603c433c90b5641de350affe4 207836
libjpeg62-turbo-dev_1.5.2-2+deb10u1_amd64.deb
f1f1d5eb5588607f1720b411b42c77f2fcaaac32 133200
libjpeg62-turbo_1.5.2-2+deb10u1_amd64.deb
962612d30ee6f361aadc928aeb554076aff38e55 443020
libturbojpeg0-dbgsym_1.5.2-2+deb10u1_amd64.deb
1706c4f011b3bdb677572ce6888c19089bf9669c 177812
libturbojpeg0-dev_1.5.2-2+deb10u1_amd64.deb
1d8ac04c71137549456af51139c339e36c3a1bda 149804
libturbojpeg0_1.5.2-2+deb10u1_amd64.deb
Checksums-Sha256:
415219eb10407301651363a7e4fafa3a64a102eea4fb32b189f026b528831958 2336
libjpeg-turbo_1.5.2-2+deb10u1.dsc
ce4aa2fbb6ee52f4076d9084377960b79f330792692d57b2a1b57d672213d01b 83360
libjpeg-turbo_1.5.2-2+deb10u1.debian.tar.xz
9d9fdd172f3dde6f9b187e60a8fbf59b82ddaf2bed2db8b4e9d60965aae3510c 57724
libjpeg-dev_1.5.2-2+deb10u1_all.deb
4c6ac31271258b2a51ca1fb4bca5fcb58fca775450f13e07079daf27b88bf0ad 218580
libjpeg-turbo-progs-dbgsym_1.5.2-2+deb10u1_amd64.deb
dfd7862708b675419a21ce0853cedb431f0745349df9489e8a25206e28eea9c1 115932
libjpeg-turbo-progs_1.5.2-2+deb10u1_amd64.deb
4a7d5290474aee30d9a872b0f696e988bb353a2552339715efb014769aac6085 7962
libjpeg-turbo_1.5.2-2+deb10u1_amd64.buildinfo
39c83c8dbce4173ccee0107991a1e2786349b09f141789c698eb42bd1163b1b9 379284
libjpeg62-turbo-dbgsym_1.5.2-2+deb10u1_amd64.deb
e196d53b81b64f665c023608c8a00eb3ee6f18fc8e9dc3ee97f71d251b432711 207836
libjpeg62-turbo-dev_1.5.2-2+deb10u1_amd64.deb
b6cbc7d722cbf697cedbcd9b8b209f8cfa05f147fba4061adf2fcee6cc64c556 133200
libjpeg62-turbo_1.5.2-2+deb10u1_amd64.deb
26b4c10265e1ee6d4204ef287f6c2c49fd5d04a91d62c9ffbef7a3524e070aa6 443020
libturbojpeg0-dbgsym_1.5.2-2+deb10u1_amd64.deb
631160f83ca1215c4cf6bcf3e68ff917922c21e341844b26984a7a828d300fe8 177812
libturbojpeg0-dev_1.5.2-2+deb10u1_amd64.deb
0090d2589db67c083a2f596dbef91836f40d355a2d6e343f3b480e9732b2e4d4 149804
libturbojpeg0_1.5.2-2+deb10u1_amd64.deb
Files:
82483cd01a5b0bfef57d2f2b7b64769b 2336 graphics optional
libjpeg-turbo_1.5.2-2+deb10u1.dsc
8b55e173eb2f4f5dd5d7be4b2ff58745 83360 graphics optional
libjpeg-turbo_1.5.2-2+deb10u1.debian.tar.xz
7decb20ae0a701480c0275806d7a2e67 57724 libdevel optional
libjpeg-dev_1.5.2-2+deb10u1_all.deb
f2a05e984394c65d0db3cbab781bf24c 218580 debug optional
libjpeg-turbo-progs-dbgsym_1.5.2-2+deb10u1_amd64.deb
1dd91c28efa41542de0c577337ee1128 115932 graphics optional
libjpeg-turbo-progs_1.5.2-2+deb10u1_amd64.deb
8eb845c71da0e89bc1aa39d8aaf2e08c 7962 graphics optional
libjpeg-turbo_1.5.2-2+deb10u1_amd64.buildinfo
9d88b0446463420f223add55921c64e0 379284 debug optional
libjpeg62-turbo-dbgsym_1.5.2-2+deb10u1_amd64.deb
b102b50fe1f216aeb5469ce7e6bed206 207836 libdevel optional
libjpeg62-turbo-dev_1.5.2-2+deb10u1_amd64.deb
456c9099a2ea24f2d4e6d60faf6dc8c6 133200 libs optional
libjpeg62-turbo_1.5.2-2+deb10u1_amd64.deb
3fd5c4cd83c9fe1784be835a1d3529b4 443020 debug optional
libturbojpeg0-dbgsym_1.5.2-2+deb10u1_amd64.deb
8a4cf4f0b525fbc99f3d278dae32f5b2 177812 libdevel optional
libturbojpeg0-dev_1.5.2-2+deb10u1_amd64.deb
7ad7ba15b54dfa0c68463ab97badc344 149804 libs optional
libturbojpeg0_1.5.2-2+deb10u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl+ZwQQACgkQEMKTtsN8
TjaYsQ/+K6PRbD5HLhH6yaWDBIGmElneZL6mARsTn6sDY4yrbumb7niLt+aPZdIq
v3B/Do/AkHrJXUhZjtbJnV20xvZUkhmGU8WviFLlYLzNVgERnvwdHvrFqmeRlcsE
jgn1RPiLL5qdZiFSngQOWtjbJzx93zVB/SCBngYsrRY2IzgKrCmSxffJTgBTi8Sp
D51GveFDGIj28Fs6wwWFhJa29ptvQg27xknNV6oADoIEVvoWJHH0nWP8tlw9a1oF
sxh2MKomC+5yrBppPMoerfdB3zzRSmsCCSkxCJV8FU+9j87mSnJO5BZ2q4UgPnbY
tiL4JUmVyaVl2iWBJ//KVR0aHl2Dt7HX8SEDjKkqQSEpkWGQVXYuZcpBYcWd722G
sx5xzdxdLK9I6Q2s3O43T6gsLLyecPfgBTdER3xv7Z9UM0UdMgfPd2XVSFPs92S6
/vhUjyi49VsP7UoFWfw0Y+xQSAADkE8XbuVdDSc6d6ww+CXiL+/DlDcHziWZmc8+
a1Jej16dBKWY1aZvC0XKffZX2Cd3zar8JXR6zFa8pHGdsUjpLph/2wrmFsIe8xin
X7WJcuXEffaPJ9HEbRldT4UDENlynPCUaUMDlWqtlTpJrxF7h0mPYw/j8VywfpaN
FoB60rPtM+ZYVkEqeI4mMS05oj0wP2z3IcV1SRyll7oPrIN/ZT4=
=AtYY
-----END PGP SIGNATURE-----
--- End Message ---
