Bug 826849 (CVE-2012-2806)

Summary: CVE-2012-2806 libjpeg-turbo: Heap-based buffer overflow when decompressing corrupt JPEG images
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: scarybeasts, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-08 20:08:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 840719    
Bug Blocks: 826852    

Description Huzaifa S. Sidhpurwala 2012-05-31 06:47:15 UTC 
A Heap-based buffer overflow was found in the way libjpeg-turbo decompressed certain corrupt JPEG images in which the component count was erroneously set to a large value. An attacker could create a specially-crafted JPEG image that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application. 

Patch:
http://libjpeg-turbo.svn.sourceforge.net/viewvc/libjpeg-turbo?view=revision&revision=830

References:
http://code.google.com/p/chromium/issues/detail?id=130240
https://bugzilla.mozilla.org/show_bug.cgi?id=759802
Comment 3 Huzaifa S. Sidhpurwala 2012-07-17 04:20:49 UTC 
Acknowledgements:

Red Hat would like to thank Chris Evans of the Google Security Team for reporting this issue. Upstream acknowledges Atte Kettunen as the original reporter
Comment 4 Huzaifa S. Sidhpurwala 2012-07-17 04:33:41 UTC 
Created libjpeg-turbo tracking bugs for this issue

Affects: fedora-all [bug 840719]
Comment 5 Fedora Update System 2012-08-09 22:50:11 UTC 
libjpeg-turbo-1.2.1-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.