Bug 1937385 (CVE-2021-20205)

Summary: CVE-2021-20205 libjpeg-turbo: DoS via open crafted GIF
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dcommander, erik-fedora, kaycoth, klember, manisandro, negativo17, nforro, phracek, rh-spice-bugs, rjones, vonsch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libjpeg-turbo 2.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libjpeg-turbo (versions 2.0.91 and 2.0.90) and is vulnerable to a denial of service issue caused by a divide by zero when processing a crafted GIF image. The highest threat from this vulnerability is to system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 23:11:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1937387, 1937388, 1938013    
Bug Blocks: 1937390    

Description Dhananjay Arunesh 2021-03-10 14:31:53 UTC
Libjpeg-turbo (versions 2.0.91 and 2.0.90) is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image.

References:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/493 [https://github.com/libjpeg-turbo/libjpeg-turbo/issues/493
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/1719d12e51641cce5c77e259516649ba5ef6303c

Comment 1 Dhananjay Arunesh 2021-03-10 14:32:55 UTC
Created libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 1937387]


Created mingw-libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 1937388]

Comment 2 DRC 2021-03-10 20:55:07 UTC
Denial of service?  Really?  What, pray tell, is the "service" that was being denied?  This bug was confined to the cjpeg application, whose main purpose is to demonstrate the usage of the libjpeg API library.  The library itself was not affected, and thus no other applications were affected.  Assigning a CVE to this seems like an overreaction, particularly given that the bug was a regression introduced by a new feature in a beta (non-production) release of libjpeg-turbo, and the bug was fixed two months before this Bugzilla issue was even created.  To those in the open source community, please stop abusing the term "DoS".  cjpeg is not, by any stretch of the imagination, a "service", and if it crashes rather than bowing out gracefully on a corrupt input image, that isn't a "denial of service."

Comment 5 Todd Cullum 2021-03-11 22:35:44 UTC
Statement:

This flaw does not affect versions of libjpeg-turbo shipped with Red Hat Enterprise Linux versions 6, 7, or 8. Additionally, it is not in the library, only the cjpeg utility.

Comment 6 DRC 2021-03-15 17:25:04 UTC
Correct.  More specifically, the flaw only affects libjpeg-turbo 2.1 beta1.  It was introduced as part of a new feature in libjpeg-turbo 2.1 that adds support for creating JPEG files from LZW-compressed GIF files using cjpeg.

Comment 7 DRC 2021-03-15 17:34:12 UTC
Also please note that 2.0.91 is not an official release of libjpeg-turbo.  2.0.90 is 2.1 beta1.  The version number in the Git repository was bumped to 2.0.91 for post-beta commits, but that version number would only become official if it were necessary to put out a beta2 release (which it isn't.)  Thus, to be 100% correct, this issue affects:

- The official 2.0.90 (2.1 beta1) release
- Any unofficial/pre-release builds with a version number of 2.0.91 and a build number < 20210114