Bug 2208447 (CVE-2023-2804)

Summary: CVE-2023-2804 libjpeg-turbo: heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, caswilli, dffrench, dkuc, fjansen, gzaronik, hkataria, information, jburrell, kaycoth, kshier, micjohns, nforro, ngough, rgodfrey, rh-spice-bugs, sthirugn
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libjpeg-turbo 3.0-beta2 Doc Type: If docs needed, set a value
Doc Text:
A heap-based buffer overflow issue was found in libjpeg-turbo in the h2v2_merged_upsample_internal() function in the jdmrgext.c file. This issue can only be used with 12-bit data precision for which the range of the sample data type exceeds the valid sample range. This could allow an attacker to craft a 12-bit lossless JPEG image that contains out-of-range 12-bit samples. An application attempting to decompress such an image using merged upsampling would lead to segmentation fault or buffer overflows, causing an application to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2208448    
Bug Blocks: 2193322    

Description TEJ RATHI 2023-05-19 06:29:22 UTC 
In libjpeg-turbo, there is heap-buffer-overflow at /libjpeg-turbo/jdmrgext.c:126 in h2v2_merged_upsample_internal(), leadin causing crash.

https://github.com/libjpeg-turbo/libjpeg-turbo/issues/675 
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9f756bc67a84d4566bf74a0c2432aa55da404021
Comment 1 TEJ RATHI 2023-05-19 06:29:39 UTC 
Created libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 2208448]
Comment 5 DRC 2023-07-11 15:27:08 UTC 
Notes regarding this issue:

The following GitHub issues were filed between 2023-03-26 and 2023-04-02, describing various segfaults and buffer overruns that could be triggered in libjpeg-turbo 3.0 beta2 with various specially-crafted malformed 12-bit-per-sample lossless JPEG images:

https://github.com/libjpeg-turbo/libjpeg-turbo/issues/670
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/672
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/673
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/674
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/675
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/676
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/677
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/678
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/679
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/681
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/683

https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9f756bc67a84d4566bf74a0c2432aa55da404021 (2023-04-04) fixed those issues by range-limiting the samples output by the 12-bit lossless decompressor.  CVE-2023-2804 was published on 2023-05-25, and it links to the aforementioned commit.  However, further research revealed two related issues that were not fixed by the aforementioned commit:

https://github.com/libjpeg-turbo/libjpeg-turbo/issues/690 (2023-05-11)
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/701 (2023-06-25)

Ultimately all of the issues above were due to the fact that the merged upsampling and color quantization modules were never designed to work with lossless decompression, so it was possible for specially-crafted malformed 12-bit-per-sample and 16-bit-per-sample lossless JPEG images to cause the lossless decompressor to produce samples that overflowed tables in the merged upsampler or color quantizer.  Thus, libjpeg-turbo 3.0.0 disables both of those modules when decompressing lossless JPEG images:

https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2192560d74e6e6cf99dd05928885573be00a8208
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/bf9f319cb4b86b130bee16af19fee95a1cdb5ef2

Doing so obviated https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9f756bc67a84d4566bf74a0c2432aa55da404021, so that commit was reverted.  In other words, the description of CVE-2023-2804 links to a commit that never actually made it into the libjpeg-turbo 3.0.0 code base.  The other two commits linked above are the final released fixes, which cover not only the 11 issues discovered in March/April but also the two issues discovered in May/June.

tl;dr:
- All 13 issues existed in libjpeg-turbo 3.0 beta2.
- None of those issues exists in libjpeg-turbo 3.0.0.
- CVE-2023-2804 describes all 13 issues, but it links to a preliminary fix that was ultimately reverted and never released.
- The commits that ultimately fixed all issues and were released in libjpeg-turbo 3.0.0 are https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2192560d74e6e6cf99dd05928885573be00a8208 and https://github.com/libjpeg-turbo/libjpeg-turbo/commit/bf9f319cb4b86b130bee16af19fee95a1cdb5ef2.

Thank you for attending my TED talk.