Bugzilla – Bug 906761
VUL-0: CVE-2014-9092: libjpeg-turbo, libjpeg62-turbo: Passing special crafted jpeg file smashes stack
Last modified: 2016-04-27 19:32:17 UTC
Created attachment 614672 [details] Reproducer Currently there is no CVE assigned and no patch. From: Bastien ROUCARIES <roucaries.bastien@gmail.com> Passing special crafted jpeg file to imagemagick (convert -rotate 270 003632r270.jpg junk.jpg) could lead to stack smashing in libjpeg.so.62 (libjpeg-turbo). This bug is triggered by setting the optimize coding member of the JPEG initialization structure to TRUE. If this flag set it to FALSE, ImageMagick completes without complaint. Wokarround could consist to turn off compression optimization in imagemagick to prevent the stack smash. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768369 http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26482&sid=81658bc2f51a8d9893279cd01e83783f
It seems (from debian bug and jpeg code) that only 12.3, 13.1, 13.2, Factory and sle12 is affected.
Reproduced on 12.3 and Factory.
Increasing BUFSIZE[1] in jchuff.c seems to cure the issue. But I guess we will wait for upstream patch? [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768369#138
(In reply to Petr Gajdos from comment #3) Yes. Thanks for you quick reaction, but we will have to wait for an CVE anyway. I'll update the bug once it arrives, then a official patch will probably be available.
Okay. Upstream patch is available yet at: http://sourceforge.net/p/libjpeg-turbo/code/1425/
CVE got assigned: CVE-2014-9092.
This is an autogenerated message for OBS integration: This bug (906761) was mentioned in https://build.opensuse.org/request/show/263204 Factory / libjpeg-turbo
sle12: 46732 factory: 263204 openSUSE: $ osc mr home:pgajdos:maintenance:libjpeg-turbo Using target project 'openSUSE:Maintenance' Log message not specified a)bort, c)ontinue, e)dit: c Server returned an error: HTTP Error 400: Bad Request Maintenance incident request contains no defined release target project for package libjpeg62-turbo.openSUSE_13.2 Should I delete libjpeg62-turbo.* links?
can you edit in home:pgajdos:maintenance:libjpeg-turbo/libjpeg62-turbo.openSUSE_13.2 the _link file and remove the incorrect _Update so the links is unbroken?
Indeed, that worked. Thanks! mr#263335
openSUSE-SU-2014:1637-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 771791,807183,906761 CVE References: CVE-2014-9092 Sources used: openSUSE 13.2 (src): libjpeg-turbo-1.3.1-30.5.1, libjpeg62-turbo-1.3.1-30.5.1 openSUSE 13.1 (src): libjpeg-turbo-1.2.1-24.4.1, libjpeg62-turbo-1.2.1-24.4.1 openSUSE 12.3 (src): libjpeg-turbo-1.2.1-19.20.1, libjpeg62-turbo-1.2.1-19.20.1
SUSE-SU-2015:0029-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 906761 CVE References: CVE-2014-9092 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): libjpeg-turbo-1.3.1-30.3, libjpeg62-turbo-1.3.1-30.1 SUSE Linux Enterprise Server 12 (src): libjpeg-turbo-1.3.1-30.3, libjpeg62-turbo-1.3.1-30.1 SUSE Linux Enterprise Desktop 12 (src): libjpeg-turbo-1.3.1-30.3, libjpeg62-turbo-1.3.1-30.1
released