Your message dated Thu, 26 Dec 2024 16:34:42 +0000
with message-id <[email protected]>
and subject line Bug#1088818: fixed in jpeg-xl 0.10.4-2
has caused the Debian Bug report #1088818,
regarding grave: CVE-2024-11403 CVE-2024-11498
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1088818: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088818
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: grave
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for grave.
CVE-2024-11403[0]:
| There exists an out of bounds read/write in LibJXL versions prior to
| commit 9cc451b91b74ba470fd72bd48c121e9f33d24c99. The JPEG decoder
| used by the JPEG XL encoder when doing JPEG recompression (i.e. if
| using JxlEncoderAddJPEGFrame on untrusted input) does not properly
| check bounds in the presence of incomplete codes. This could lead to
| an out-of-bounds write. In jpegli which is released as part of the
| same project, the same vulnerability is present. However, the
| relevant buffer is part of a bigger structure, and the code makes no
| assumptions on the values that could be overwritten. The issue could
| however cause jpegli to read uninitialised memory, or addresses of
| functions.
https://github.com/libjxl/libjxl/commit/9cc451b91b74ba470fd72bd48c121e9f33d24c99
CVE-2024-11498[1]:
| There exists a stack buffer overflow in libjxl. A specifically-
| crafted file can cause the JPEG XL decoder to use large amounts of
| stack space (up to 256mb is possible, maybe 512mb), potentially
| exhausting the stack. An attacker can craft a file that will cause
| excessive memory usage. We recommend upgrading past
| commit 65fbec56bc578b6b6ee02a527be70787bbd053b0.
https://github.com/libjxl/libjxl/pull/3943
https://github.com/libjxl/libjxl/commit/bf4781a2eed2eef664790170977d1d3d8347efb9
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-11403
https://www.cve.org/CVERecord?id=CVE-2024-11403
[1] https://security-tracker.debian.org/tracker/CVE-2024-11498
https://www.cve.org/CVERecord?id=CVE-2024-11498
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: jpeg-xl
Source-Version: 0.10.4-2
Done: Jeremy Bícha <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jpeg-xl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bícha <[email protected]> (supplier of updated jpeg-xl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 26 Dec 2024 11:28:50 -0500
Source: jpeg-xl
Built-For-Profiles: noudeb
Architecture: source
Version: 0.10.4-2
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers
<[email protected]>
Changed-By: Jeremy Bícha <[email protected]>
Closes: 1076699 1077336 1088818
Changes:
jpeg-xl (0.10.4-2) unstable; urgency=medium
.
* Team upload
* Extend dh_auto_test timeout to avoid build failures on riscv64
(Closes: #1077336)
* Release to unstable (Closes: #1088818)
.
jpeg-xl (0.10.4-1) experimental; urgency=medium
.
* Team upload
.
[ Jeremy Bícha ]
* New upstream release (Closes: #1077336)
- CVE-2024-11403 Huffman lookup table size fix
- CVE-2024-11498 Check height limit in modular trees
.
[ Gianfranco Costamagna ]
* Force gcc-13 on s390x because testsuite hangs with gcc-14
.
[ Jeremy Bícha ]
* Use gcc-13 on riscv64 too
.
jpeg-xl (0.10.3-5) experimental; urgency=medium
.
* d/patches: Remove libjpegli-tools
.
jpeg-xl (0.10.3-4) experimental; urgency=medium
.
* d/tests: Remove a portion of the unit test. Closes: #1076699
.
jpeg-xl (0.10.3-3) experimental; urgency=medium
.
* d/patches: Make sure to find package HWY
.
jpeg-xl (0.10.3-2) experimental; urgency=medium
.
* d/rules Remove legacy comment
* d/patches: Update big endian patch
* d/patches: Add libjpegli-tools
.
jpeg-xl (0.10.3-1) experimental; urgency=medium
.
* New upstream version 0.10.3
* d/patches: Refresh patches for new release
* d/symbols: Migrate to new ABI
* d/patches: Prepare patch for upstream
Checksums-Sha1:
18600a1b2d516764ddf15ccbbfa86a629a88fd63 3197 jpeg-xl_0.10.4-2.dsc
2cb0f24d3b701c7943a032bbbae2667bcb6624b4 21536 jpeg-xl_0.10.4-2.debian.tar.xz
d44d98cba70ee51f1ca8e3129f32bf9d9c847e20 14581
jpeg-xl_0.10.4-2_source.buildinfo
Checksums-Sha256:
bd839b4fcba78736803f67eac6575ae126e9909ca9912b37b0a25922f7dd79f1 3197
jpeg-xl_0.10.4-2.dsc
642746a033a506ad395d89c8acb2bcbfbf76ed428cf980bff2e9f2b7a27bccdf 21536
jpeg-xl_0.10.4-2.debian.tar.xz
8d67ff80ea1e9db726f3f602ede97625d42f25162c91f71a154e949e84dae5ec 14581
jpeg-xl_0.10.4-2_source.buildinfo
Files:
9b41305c1a22c30bee9e861195ad85cd 3197 graphics optional jpeg-xl_0.10.4-2.dsc
8b7ca5c61eb221535b83382dde6a9d37 21536 graphics optional
jpeg-xl_0.10.4-2.debian.tar.xz
e6eb088024f97af2cf100f6c1bc7a182 14581 graphics optional
jpeg-xl_0.10.4-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmdthL4ACgkQ5mx3Wuv+
bH3tjw/9FgZSQ29jiazVotzGwrTFYon/2TJOXeeAlPgINJguAXJCKPL6M+v65ajs
0Irvru8Lvj+Dtnlq/n7rtmFCkEX9+QYo09heHiwbIJrQcx9sjwVklGJ3MBBRybxh
H4cSTSsdCNrOCwe6kljDbgIP7xYfo5n77DfE98fsrwvd1wwzv8msW/O11E+5vKkb
UIPCgfC8eYIaMeJg7PC9vOCe+4ODlgmEeB0YVPdqQUSq8+ZK+GbS5C4jMmjBNqh3
1ge9JBVjDTUKMi0VYvrZp4iMNTJTHq8Qj1LsZhUuCiiG86DQycVXeMITHMILj1mG
nIO29e/78H9lmhcS2PNs+TyYEYcj+pNiR7lR8IEy6HQE+H+2nraFTPMDLlFhfdtR
0Iw5awqY75VNy/ROnzGqJX3BHaYmMAi64dGBUbTubU9hk/uz6bfsDgQb7FWbe/0b
LKhXNHDZHvcwyKFcOKylVqldTQJhUz7P8ex8+p8GtnE9vV2MgM4+SHlG+twRWaqF
oUPeFYNHH2bBoQ26VZKd+/nzcdPl/+1Fvg6h7Y0WsCD8j/jhq4xQdS6P1V9FybJt
0j62Qto/i8IhFb0HHfZ+9juGRE85oc+aVhKqX3CcmFULCIAOmYqkRBoHPddr8YX1
1lUXTsCaxw/klJGoD9x8wc6gMIv4cqSnGvihqn1usmmOLwBP094=
=hUAM
-----END PGP SIGNATURE-----
pgpnrmG3vvPFD.pgp
Description: PGP signature
--- End Message ---
