Bug 1770982 (CVE-2019-2201)
Summary: | CVE-2019-2201 libjpeg-turbo: several integer overflows and subsequent segfaults when attempting to compress/decompress gigapixel images | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | darunesh, erik-fedora, klember, negativo17, nforro, phracek, rh-spice-bugs, rjones, vladimir.khmyrov, vonsch |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libjpeg-turbo 2.0.4 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-25 09:54:38 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1770988, 1770989, 1770990, 1774349, 1774350, 1774351 | ||
Bug Blocks: | 1770986, 1849067 |
Description
Guilherme de Almeida Suckevicz
2019-11-11 16:15:28 UTC
Created libjpeg-turbo tracking bugs for this issue: Affects: fedora-all [bug 1770988] Created mingw-libjpeg-turbo tracking bugs for this issue: Affects: epel-7 [bug 1770990] Affects: fedora-all [bug 1770989] The initial commit done by upstream at https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2a9e3bd7430cfda1bc812d139e0609c6aca0b884 is incomplete, and should be followed by the commit at: https://github.com/clearlinux-pkgs/libjpeg-turbo/commit/0a5d06c3dd4a64754d7e6ffa081fd9132714f74c Analysis: This is flaw is an integer overflow, due to large image sizes i.e. more than one billion pixels. It could lead to subsequent buffer overflows later in the code. However you need a really large image to trigger this. *** Bug 1850483 has been marked as a duplicate of this bug. *** As mentioned in comment #2, there are two commits which are needed to fix this flaw: 1. https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2a9e3bd7430cfda1bc812d139e0609c6aca0b884 -> this is a part of libjpeg-turbo 2.0.3 2. https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c30b1e72dac76343ef9029833d1561de07d29bad -> this is a part of libjpeg-turbo 2.0.4 *** Bug 1850477 has been marked as a duplicate of this bug. *** |