Bug 1031734 (CVE-2013-6629)

Summary: CVE-2013-6629 libjpeg: information leak (read of uninitialized memory)
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cpelland, erik-fedora, fedora-mingw, jkurik, jrusnack, kalevlember, lfarkas, pfrields, phracek, rbalakri, rjones, thoger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-02 18:04:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1031737, 1031739, 1031740, 1031741, 1031952, 1031954, 1031955, 1031957    
Bug Blocks: 1030229, 1082776    

Description Vincent Danen 2013-11-18 16:21:31 UTC 
It was reported [1],[2] that libjpeg and libjpeg-turbo would use uninitialized memory when decoding images with missing SOS data for the luminance component (Y) in the presence of valid chroma data (Cr, Cb).  An example proof of concept that can be viewed in a browser is also available [3].

This was reported and fixed initially in Google Chrome/Chromium; it does not appear to be fixed in upstream libjpeg or libjpeg-turbo yet.  Patches to the third party source in Chromium for libjpeg [4] and libjpeg-turbo [5] however are available.


[1] http://googlechromereleases.blogspot.de/2013/11/stable-channel-update.html
[2] http://packetstormsecurity.com/files/123989/IJG-jpeg6b-libjpeg-turbo-Uninitialized-Memory.html
[3] http://lcamtuf.coredump.cx/jpeg_leak/
[4] http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libjpeg/jdmarker.c?r1=228354&r2=228353&pathrev=228354
[5] http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/libjpeg_turbo/jdmarker.c?r1=228381&r2=228380&pathrev=228381
Comment 2 Vincent Danen 2013-11-18 16:34:58 UTC 
Created libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 1031737]
Comment 3 Vincent Danen 2013-11-18 16:35:05 UTC 
Created mingw-libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 1031740]
Comment 4 Vincent Danen 2013-11-18 16:35:12 UTC 
Created mingw32-libjpeg tracking bugs for this issue:

Affects: epel-5 [bug 1031741]
Comment 5 Vincent Danen 2013-11-18 16:36:38 UTC 
The Chromium bug is https://code.google.com/p/chromium/issues/detail?id=258723 but it's not currently public.
Comment 7 Vincent Danen 2013-11-18 17:30:03 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6629 to
the following vulnerability:

Name: CVE-2013-6629
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629
Assigned: 20131105
Reference: FULLDISC:20131112 bugs in IJG jpeg6b & libjpeg-turbo
Reference: http://archives.neohapsis.com/archives/fulldisclosure/2013-11/0080.html
Reference: http://bugs.ghostscript.com/show_bug.cgi?id=686980
Reference: http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html
Reference: https://code.google.com/p/chromium/issues/detail?id=258723
Reference: https://src.chromium.org/viewvc/chrome?revision=229729&view=revision

The get_sos function in jdmarker.c in (1) libjpeg 6b and (2)
libjpeg-turbo through 1.3.0, as used in Google Chrome before
31.0.1650.48, Ghostscript, and other products, does not check for
certain duplications of component data during the reading of segments
that follow Start Of Scan (SOS) JPEG markers, which allows remote
attackers to obtain sensitive information from uninitialized memory
locations via a crafted JPEG image.
Comment 9 errata-xmlrpc 2013-12-09 23:27:55 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1804 https://rhn.redhat.com/errata/RHSA-2013-1804.html
Comment 10 errata-xmlrpc 2013-12-09 23:28:35 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1803 https://rhn.redhat.com/errata/RHSA-2013-1803.html
Comment 11 Tomas Hoger 2014-04-10 08:52:20 UTC 
Michal Zalewski's test page for this bug:
http://lcamtuf.coredump.cx/jpeg_leak/
Comment 13 errata-xmlrpc 2014-04-17 09:30:42 UTC 
This issue has been addressed in following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2014:0413 https://rhn.redhat.com/errata/RHSA-2014-0413.html
Comment 14 errata-xmlrpc 2014-04-17 09:33:50 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2014:0412 https://rhn.redhat.com/errata/RHSA-2014-0412.html
Comment 15 Stefan Cornelius 2014-04-17 10:27:56 UTC 
OpenJDK upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/5ccfde781cdb
Comment 16 errata-xmlrpc 2014-04-17 11:41:59 UTC 
This issue has been addressed in following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2014:0414 https://rhn.redhat.com/errata/RHSA-2014-0414.html
Comment 17 errata-xmlrpc 2014-05-13 19:48:08 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0486 https://rhn.redhat.com/errata/RHSA-2014-0486.html
Comment 18 errata-xmlrpc 2014-05-15 17:29:28 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0508 https://rhn.redhat.com/errata/RHSA-2014-0508.html
Comment 19 errata-xmlrpc 2014-05-15 18:22:35 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0509 https://rhn.redhat.com/errata/RHSA-2014-0509.html
Comment 20 Tomas Hoger 2014-06-09 09:07:20 UTC 
*** Bug 1106388 has been marked as a duplicate of this bug. ***
Comment 21 errata-xmlrpc 2014-06-10 13:12:32 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2014:0705 https://rhn.redhat.com/errata/RHSA-2014-0705.html
Comment 23 errata-xmlrpc 2014-07-29 15:41:10 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4
  Red Hat Network Satellite Server v 5.5
  Red Hat Satellite Server v 5.6

Via RHSA-2014:0982 https://rhn.redhat.com/errata/RHSA-2014-0982.html
Comment 24 Petr Hracek 2015-02-24 14:52:02 UTC 
All the bugs are closed. This bugzilla can be closed too.