Bug 826849 (CVE-2012-2806)

Summary: CVE-2012-2806 libjpeg-turbo: Heap-based buffer overflow when decompressing corrupt JPEG images
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: scarybeasts, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20120717,reported=20120531,source=google,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,fedora-all/libjpeg-turbo=affected,cwe=CWE-122[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-08 16:08:44 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 840719    
Bug Blocks: 826852    

Description Huzaifa S. Sidhpurwala 2012-05-31 02:47:15 EDT
A Heap-based buffer overflow was found in the way libjpeg-turbo decompressed certain corrupt JPEG images in which the component count was erroneously set to a large value. An attacker could create a specially-crafted JPEG image that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application. 

Patch:
http://libjpeg-turbo.svn.sourceforge.net/viewvc/libjpeg-turbo?view=revision&revision=830

References:
http://code.google.com/p/chromium/issues/detail?id=130240
https://bugzilla.mozilla.org/show_bug.cgi?id=759802
Comment 3 Huzaifa S. Sidhpurwala 2012-07-17 00:20:49 EDT
Acknowledgements:

Red Hat would like to thank Chris Evans of the Google Security Team for reporting this issue. Upstream acknowledges Atte Kettunen as the original reporter
Comment 4 Huzaifa S. Sidhpurwala 2012-07-17 00:33:41 EDT
Created libjpeg-turbo tracking bugs for this issue

Affects: fedora-all [bug 840719]
Comment 5 Fedora Update System 2012-08-09 18:50:11 EDT
libjpeg-turbo-1.2.1-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.