Bug 1318509
Summary: | null pointer dereference in libjpeg library in cjpeg | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Aladdin Mubaied <alaa.mubaied> | ||||
Component: | libjpeg-turbo | Assignee: | Nikola Forró <nforro> | ||||
Status: | CLOSED ERRATA | QA Contact: | Jan Houska <jhouska> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.4 | CC: | jhouska, mhradile, security-response-team | ||||
Target Milestone: | rc | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | libjpeg-turbo-1.2.90-7.el7 | Doc Type: | No Doc Update | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-08-06 12:39:19 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
please note that i have requested a CVE ID for this bug from CVE-assign. MITRE has assigned the following CVE ID to the bug CVE-2016-3616. Aladdin, After analyzing this issue, it seems that the flaw is in the cjpeg utility shipped with libjpeg and not in the library itself. The cjpeg utility is used to compress an image file and produce a JPEG image. Interestingly when i run this file through netpbm (pgmtopbm), it correctly handles it and the following message is printed: pamditherbw: ASCII decimal integer in file is too large to be processed. P4 23 1 pamtopnm: End of file encountered when trying to read a row from input file. which shows that it is doing the right thing. The above being said, i want to make this bug public, since it does not sound very serious, you ok with that? Sure if the issue is only in the cjpeg utility, you can make this bug public. ty This bug corresponds to the security flaw at: https://bugzilla.redhat.com/show_bug.cgi?id=1319661 VERIFIED NEW PASS: libjpeg-turbo-1.2.90-8.el7 :: Test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 17:46:16 ] :: [ BEGIN ] :: Running reproducer :: actually running 'cjpeg crasherfile' Numeric value out of range in PPM file :: [ 17:46:16 ] :: [ PASS ] :: Running reproducer (Expected 1, got 1) :: [ 17:46:16 ] :: [ PASS ] :: File '/var/tmp/rlRun_LOG.B9reO9C3' should contain 'Numeric value out of range in PPM file' :: [ 17:46:16 ] :: [ PASS ] :: File '/var/tmp/rlRun_LOG.B9reO9C3' should not contain 'Segmentation fault' --cat /var/tmp/rlRun_LOG.B9reO9C3------------------------ Numeric value out of range in PPM file -/cat /var/tmp/rlRun_LOG.B9reO9C3------------------------ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 0s :: Assertions: 3 good, 0 bad :: RESULT: PASS OLD FAIL: libjpeg-turbo-1.2.90-6.el7 :: Test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 17:13:24 ] :: [ BEGIN ] :: Running reproducer :: actually running 'cjpeg crasherfile' /usr/share/beakerlib/testing.sh: line 873: 13225 Segmentation fault cjpeg crasherfile :: [ 17:13:24 ] :: [ FAIL ] :: Running reproducer (Expected 1, got 139) :: [ 17:13:24 ] :: [ FAIL ] :: File '/var/tmp/rlRun_LOG.4rNn2hSM' should contain 'Numeric value out of range in PPM file' :: [ 17:13:24 ] :: [ FAIL ] :: File '/var/tmp/rlRun_LOG.4rNn2hSM' should not contain 'Segmentation fault' --cat /var/tmp/rlRun_LOG.4rNn2hSM------------------------ /usr/share/beakerlib/testing.sh: line 873: 13225 Segmentation fault cjpeg crasherfile -/cat /var/tmp/rlRun_LOG.4rNn2hSM------------------------ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 0 good, 3 bad :: RESULT: FAIL Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2052 |
Created attachment 1137318 [details] crasher I would like to report a null pointer dereference in libjpeg library in rdppm.c:153. here is the details: This bug can be used to cause a denial of service attack and some cases remote code execution if the library is used in a system accepts users input. please assign a cve for this issue. $ cjpeg crasher Starting program: /opt/libjpeg/bin/cjpeg crasher Program received signal SIGSEGV, Segmentation fault. bt: *#0 get_text_gray_row (cinfo=0x7fffffffe2c0, sinfo=<optimized out="">) at rdppm.c:153 1 0x0000000000401996 in main (argc=0x2, argv=0x7fffffffe618) at cjpeg.c:6**42 2 0x00007ffff7738af5 in __libc_start_main () from /lib64/libc.so.6 3 0x0000000000401e2d in _start () *ptr++ = rescale[read_pbm_integer(cinfo, infile)]; => 0x407b08 <get_text_gray_row+200>: movzx esi,BYTE PTR [r13+rcx*1+0x0] gdb$ p $r13+$rcx*1+0x0 gdb$ $8 = 0x92d91bc1 gdb$ x/x 0x92d91bc1 0x92d91bc1: Cannot access memory at address 0x92d91bc1 Thanks Aladdin Mubaied