Bug 1734637 (CVE-2019-13960)

Summary: CVE-2019-13960 libjpeg-turbo: denial of service due to incorrect width and height value of JPEG image
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: erik-fedora, klember, negativo17, nforro, phracek, rh-spice-bugs, rjones, vonsch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-22 05:37:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1734642, 1734639, 1734640    
Bug Blocks: 1734641    

Description Dhananjay Arunesh 2019-07-31 07:00:58 UTC
A vulnerability was found in libjpeg-turbo 2.0.2, a large amount of memory can be used during processing of an invalid progressive JPEG image containing incorrect width and height values in the image header. NOTE: the vendor's expectation, for use cases in which this memory usage would be a denial of service, is that the application should interpret libjpeg warnings as fatal errors (aborting decompression) and/or set limits on resource consumption or image sizes.

Reference:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/337
https://libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf

Comment 1 Dhananjay Arunesh 2019-07-31 07:01:22 UTC
Created mingw-libjpeg-turbo tracking bugs for this issue:

Affects: epel-7 [bug 1734640]
Affects: fedora-all [bug 1734639]

Comment 2 Dhananjay Arunesh 2019-07-31 07:02:48 UTC
Created libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 1734642]

Comment 3 Huzaifa S. Sidhpurwala 2019-08-22 05:37:21 UTC
Analysis:

As per upstream, this is a corner case of handling JPGEG images, in which the header says that the size of the JPEG image is 32k x 64k, however the decompresser is not able to handle the data, progressive decompression. libjpeg prints a warning and goes ahead with decompression, which results in large amount memory being allocated and in the end may result in DoS via memory exhaustion or even application crash.

Upstream suggests that applications compiled against libjpeg-turbo should treat these warnings and fatal and abort parsing the image. They do not consider this issue as a security flaw, therefore no patch will be available.

Comment 4 Huzaifa S. Sidhpurwala 2019-08-22 05:37:25 UTC
Statement:

Upstream suggests that applications compiled against libjpeg-turbo should treat these warnings and fatal and abort parsing the image. They do not consider this issue as a security flaw.