Bug 2235521 (CVE-2021-29390)

Summary: CVE-2021-29390 libjpeg-turbo: heap-buffer-overflow vulnerability in decompress_smooth_data in jdcoefct.c
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, caswilli, fjansen, hkataria, jburrell, jsherril, kaycoth, kshier, nforro, rh-spice-bugs
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libjpeg-turbo 2.1.0 Doc Type: If docs needed, set a value
Doc Text:
A heap buffer over-read flaw was found in libjpeg-turbo. For certain types of smoothed jpeg images, the decompress_smooth_data() function may improperly enter a condition statement that leads to heap memory read of uninitialized data, which may cause an application crash or loss of confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2235522, 2235523, 2235524, 2235525, 2236152, 2236153, 2236154    
Bug Blocks: 2235520    

Description Chess Hazlett 2023-08-28 22:29:09 UTC 
libjpeg-turbo version 2.0.90 is vulnerable to a heap-buffer-overflow vulnerability in decompress_smooth_data in jdcoefct.c.

https://bugzilla.redhat.com/show_bug.cgi?id=1943797
Comment 3 TEJ RATHI 2023-08-30 13:22:04 UTC 
Created chromium tracking bugs for this issue:

Affects: epel-all [bug 2236152]


Created libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 2236153]


Created mingw-libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 2236154]
Comment 4 Pedro Sampaio 2023-09-27 21:06:19 UTC 
Upstream commit:

https://github.com/libjpeg-turbo/libjpeg-turbo/commit/ccaba5d7894ecfb5a8f11e48d3f86e1f14d5a469

Upstream issue/PR:

https://github.com/libjpeg-turbo/libjpeg-turbo/pull/476

Other references:

https://github.com/libjpeg-turbo/libjpeg-turbo/pull/724
Comment 5 Pedro Sampaio 2023-09-28 20:08:24 UTC 
Upstream issue:

https://github.com/libjpeg-turbo/libjpeg-turbo/issues/459#issuecomment-733720010
Comment 8 errata-xmlrpc 2024-04-30 10:02:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2295 https://access.redhat.com/errata/RHSA-2024:2295