Bug 1687424 (CVE-2018-14498)
Summary: | CVE-2018-14498 libjpeg-turbo: heap-based buffer over-read via crafted 8-bit BMP in get_8bit_row in rdbmp.c leads to denial of service | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | msiddiqu |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | erik-fedora, klember, negativo17, nforro, phracek, rh-spice-bugs, rjones, vonsch |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-06 19:20:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1687428, 1687429, 1687430, 1687475, 1687476, 1687477, 1715442 | ||
Bug Blocks: | 1687433 |
Description
msiddiqu
2019-03-11 13:06:08 UTC
Created libjpeg-turbo tracking bugs for this issue: Affects: fedora-28 [bug 1687428] Created mingw-libjpeg-turbo tracking bugs for this issue: Affects: epel-7 [bug 1687430] Affects: fedora-28 [bug 1687429] Trivial to reproducer on all Red Hat Enterprise Linux 6 and 7. ``` valgrind cjpeg -outfile /dev/null poc.bmp ==28000== Memcheck, a memory error detector ==28000== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==28000== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==28000== Command: cjpeg -outfile /dev/null poc.bmp ==28000== ==28000== Invalid read of size 1 ==28000== at 0x402213: get_8bit_row (rdbmp.c:144) ==28000== by 0x40119D: main (cjpeg.c:613) ==28000== Address 0x545d120 is 16 bytes after a block of size 80 in arena "client" ==28000== ==28000== Invalid read of size 1 ==28000== at 0x402222: get_8bit_row (rdbmp.c:145) ==28000== by 0x40119D: main (cjpeg.c:613) ==28000== Address 0x545d140 is 16 bytes before a block of size 103 alloc'd ==28000== at 0x4C29BC3: malloc (vg_replace_malloc.c:299) ==28000== by 0x4E62BE3: alloc_large (jmemmgr.c:376) ==28000== by 0x4E62E46: alloc_sarray (jmemmgr.c:453) ==28000== by 0x4E4A62E: jinit_c_prep_controller (jcprepct.c:348) ==28000== by 0x4E466A9: jinit_compress_master (jcinit.c:39) ==28000== by 0x4E3A253: jpeg_start_compress (jcapistd.c:50) ==28000== by 0x40117D: main (cjpeg.c:609) ==28000== ==28000== Use of uninitialised value of size 8 ==28000== at 0x4E3D12D: encode_one_block (jchuff.c:487) ==28000== by 0x4E3D12D: encode_mcu_huff (jchuff.c:618) ==28000== by 0x4E3AD06: compress_data (jccoefct.c:204) ==28000== by 0x4E46709: process_data_simple_main (jcmainct.c:135) ==28000== by 0x4E3A334: jpeg_write_scanlines (jcapistd.c:108) ==28000== by 0x4011B0: main (cjpeg.c:614) ==28000== ... ``` get_8bit_row invalid read looks to correspond to upstream ASAN error. Upped C to low. May be potential for information disclosure based on OOB read. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2052 https://access.redhat.com/errata/RHSA-2019:2052 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-14498 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3705 https://access.redhat.com/errata/RHSA-2019:3705 |