Bug 1031734 - (CVE-2013-6629) CVE-2013-6629 libjpeg: information leak (read of uninitialized memory)
CVE-2013-6629 libjpeg: information leak (read of uninitialized memory)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131112,repor...
: Security
: CVE-2014-0462 (view as bug list)
Depends On: 1031737 1031739 1031740 1031741 1031952 1031954 1031955 1031957
Blocks: 1030229 1082776
  Show dependency treegraph
 
Reported: 2013-11-18 11:21 EST by Vincent Danen
Modified: 2016-04-26 10:38 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-02 13:04:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-11-18 11:21:31 EST
It was reported [1],[2] that libjpeg and libjpeg-turbo would use uninitialized memory when decoding images with missing SOS data for the luminance component (Y) in the presence of valid chroma data (Cr, Cb).  An example proof of concept that can be viewed in a browser is also available [3].

This was reported and fixed initially in Google Chrome/Chromium; it does not appear to be fixed in upstream libjpeg or libjpeg-turbo yet.  Patches to the third party source in Chromium for libjpeg [4] and libjpeg-turbo [5] however are available.


[1] http://googlechromereleases.blogspot.de/2013/11/stable-channel-update.html
[2] http://packetstormsecurity.com/files/123989/IJG-jpeg6b-libjpeg-turbo-Uninitialized-Memory.html
[3] http://lcamtuf.coredump.cx/jpeg_leak/
[4] http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libjpeg/jdmarker.c?r1=228354&r2=228353&pathrev=228354
[5] http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/libjpeg_turbo/jdmarker.c?r1=228381&r2=228380&pathrev=228381
Comment 2 Vincent Danen 2013-11-18 11:34:58 EST
Created libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 1031737]
Comment 3 Vincent Danen 2013-11-18 11:35:05 EST
Created mingw-libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 1031740]
Comment 4 Vincent Danen 2013-11-18 11:35:12 EST
Created mingw32-libjpeg tracking bugs for this issue:

Affects: epel-5 [bug 1031741]
Comment 5 Vincent Danen 2013-11-18 11:36:38 EST
The Chromium bug is https://code.google.com/p/chromium/issues/detail?id=258723 but it's not currently public.
Comment 7 Vincent Danen 2013-11-18 12:30:03 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6629 to
the following vulnerability:

Name: CVE-2013-6629
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629
Assigned: 20131105
Reference: FULLDISC:20131112 bugs in IJG jpeg6b & libjpeg-turbo
Reference: http://archives.neohapsis.com/archives/fulldisclosure/2013-11/0080.html
Reference: http://bugs.ghostscript.com/show_bug.cgi?id=686980
Reference: http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html
Reference: https://code.google.com/p/chromium/issues/detail?id=258723
Reference: https://src.chromium.org/viewvc/chrome?revision=229729&view=revision

The get_sos function in jdmarker.c in (1) libjpeg 6b and (2)
libjpeg-turbo through 1.3.0, as used in Google Chrome before
31.0.1650.48, Ghostscript, and other products, does not check for
certain duplications of component data during the reading of segments
that follow Start Of Scan (SOS) JPEG markers, which allows remote
attackers to obtain sensitive information from uninitialized memory
locations via a crafted JPEG image.
Comment 9 errata-xmlrpc 2013-12-09 18:27:55 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1804 https://rhn.redhat.com/errata/RHSA-2013-1804.html
Comment 10 errata-xmlrpc 2013-12-09 18:28:35 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1803 https://rhn.redhat.com/errata/RHSA-2013-1803.html
Comment 11 Tomas Hoger 2014-04-10 04:52:20 EDT
Michal Zalewski's test page for this bug:
http://lcamtuf.coredump.cx/jpeg_leak/
Comment 13 errata-xmlrpc 2014-04-17 05:30:42 EDT
This issue has been addressed in following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2014:0413 https://rhn.redhat.com/errata/RHSA-2014-0413.html
Comment 14 errata-xmlrpc 2014-04-17 05:33:50 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2014:0412 https://rhn.redhat.com/errata/RHSA-2014-0412.html
Comment 15 Stefan Cornelius 2014-04-17 06:27:56 EDT
OpenJDK upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/5ccfde781cdb
Comment 16 errata-xmlrpc 2014-04-17 07:41:59 EDT
This issue has been addressed in following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2014:0414 https://rhn.redhat.com/errata/RHSA-2014-0414.html
Comment 17 errata-xmlrpc 2014-05-13 15:48:08 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0486 https://rhn.redhat.com/errata/RHSA-2014-0486.html
Comment 18 errata-xmlrpc 2014-05-15 13:29:28 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0508 https://rhn.redhat.com/errata/RHSA-2014-0508.html
Comment 19 errata-xmlrpc 2014-05-15 14:22:35 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0509 https://rhn.redhat.com/errata/RHSA-2014-0509.html
Comment 20 Tomas Hoger 2014-06-09 05:07:20 EDT
*** Bug 1106388 has been marked as a duplicate of this bug. ***
Comment 21 errata-xmlrpc 2014-06-10 09:12:32 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2014:0705 https://rhn.redhat.com/errata/RHSA-2014-0705.html
Comment 23 errata-xmlrpc 2014-07-29 11:41:10 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4
  Red Hat Network Satellite Server v 5.5
  Red Hat Satellite Server v 5.6

Via RHSA-2014:0982 https://rhn.redhat.com/errata/RHSA-2014-0982.html
Comment 24 Petr Hracek 2015-02-24 09:52:02 EST
All the bugs are closed. This bugzilla can be closed too.

Note You need to log in before you can comment on or make changes to this bug.