Bug 1031734 (CVE-2013-6629) - CVE-2013-6629 libjpeg: information leak (read of uninitialized memory)
Summary: CVE-2013-6629 libjpeg: information leak (read of uninitialized memory)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-6629
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: CVE-2014-0462 (view as bug list)
Depends On: 1031737 1031739 1031740 1031741 1031952 1031954 1031955 1031957
Blocks: 1030229 1082776
TreeView+ depends on / blocked
 
Reported: 2013-11-18 16:21 UTC by Vincent Danen
Modified: 2019-09-29 13:09 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-02 18:04:27 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1803 0 normal SHIPPED_LIVE Moderate: libjpeg-turbo security update 2013-12-10 04:27:14 UTC
Red Hat Product Errata RHSA-2013:1804 0 normal SHIPPED_LIVE Moderate: libjpeg security update 2013-12-10 04:27:06 UTC
Red Hat Product Errata RHSA-2014:0412 0 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2014-04-17 13:28:34 UTC
Red Hat Product Errata RHSA-2014:0413 0 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2017-12-15 19:38:34 UTC
Red Hat Product Errata RHSA-2014:0414 0 normal SHIPPED_LIVE Important: java-1.6.0-sun security update 2017-12-15 19:38:49 UTC
Red Hat Product Errata RHSA-2014:0486 0 normal SHIPPED_LIVE Critical: java-1.7.0-ibm security update 2014-05-13 23:47:47 UTC
Red Hat Product Errata RHSA-2014:0508 0 normal SHIPPED_LIVE Critical: java-1.6.0-ibm security update 2014-05-15 21:28:29 UTC
Red Hat Product Errata RHSA-2014:0509 0 normal SHIPPED_LIVE Important: java-1.5.0-ibm security update 2014-05-15 22:19:35 UTC
Red Hat Product Errata RHSA-2014:0705 0 normal SHIPPED_LIVE Critical: java-1.7.1-ibm security update 2014-06-10 17:07:11 UTC
Red Hat Product Errata RHSA-2014:0982 0 normal SHIPPED_LIVE Low: Red Hat Network Satellite server IBM Java Runtime security update 2014-07-29 19:40:11 UTC

Description Vincent Danen 2013-11-18 16:21:31 UTC
It was reported [1],[2] that libjpeg and libjpeg-turbo would use uninitialized memory when decoding images with missing SOS data for the luminance component (Y) in the presence of valid chroma data (Cr, Cb).  An example proof of concept that can be viewed in a browser is also available [3].

This was reported and fixed initially in Google Chrome/Chromium; it does not appear to be fixed in upstream libjpeg or libjpeg-turbo yet.  Patches to the third party source in Chromium for libjpeg [4] and libjpeg-turbo [5] however are available.


[1] http://googlechromereleases.blogspot.de/2013/11/stable-channel-update.html
[2] http://packetstormsecurity.com/files/123989/IJG-jpeg6b-libjpeg-turbo-Uninitialized-Memory.html
[3] http://lcamtuf.coredump.cx/jpeg_leak/
[4] http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libjpeg/jdmarker.c?r1=228354&r2=228353&pathrev=228354
[5] http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/libjpeg_turbo/jdmarker.c?r1=228381&r2=228380&pathrev=228381

Comment 2 Vincent Danen 2013-11-18 16:34:58 UTC
Created libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 1031737]

Comment 3 Vincent Danen 2013-11-18 16:35:05 UTC
Created mingw-libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 1031740]

Comment 4 Vincent Danen 2013-11-18 16:35:12 UTC
Created mingw32-libjpeg tracking bugs for this issue:

Affects: epel-5 [bug 1031741]

Comment 5 Vincent Danen 2013-11-18 16:36:38 UTC
The Chromium bug is https://code.google.com/p/chromium/issues/detail?id=258723 but it's not currently public.

Comment 7 Vincent Danen 2013-11-18 17:30:03 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6629 to
the following vulnerability:

Name: CVE-2013-6629
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629
Assigned: 20131105
Reference: FULLDISC:20131112 bugs in IJG jpeg6b & libjpeg-turbo
Reference: http://archives.neohapsis.com/archives/fulldisclosure/2013-11/0080.html
Reference: http://bugs.ghostscript.com/show_bug.cgi?id=686980
Reference: http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html
Reference: https://code.google.com/p/chromium/issues/detail?id=258723
Reference: https://src.chromium.org/viewvc/chrome?revision=229729&view=revision

The get_sos function in jdmarker.c in (1) libjpeg 6b and (2)
libjpeg-turbo through 1.3.0, as used in Google Chrome before
31.0.1650.48, Ghostscript, and other products, does not check for
certain duplications of component data during the reading of segments
that follow Start Of Scan (SOS) JPEG markers, which allows remote
attackers to obtain sensitive information from uninitialized memory
locations via a crafted JPEG image.

Comment 9 errata-xmlrpc 2013-12-09 23:27:55 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1804 https://rhn.redhat.com/errata/RHSA-2013-1804.html

Comment 10 errata-xmlrpc 2013-12-09 23:28:35 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1803 https://rhn.redhat.com/errata/RHSA-2013-1803.html

Comment 11 Tomas Hoger 2014-04-10 08:52:20 UTC
Michal Zalewski's test page for this bug:
http://lcamtuf.coredump.cx/jpeg_leak/

Comment 13 errata-xmlrpc 2014-04-17 09:30:42 UTC
This issue has been addressed in following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2014:0413 https://rhn.redhat.com/errata/RHSA-2014-0413.html

Comment 14 errata-xmlrpc 2014-04-17 09:33:50 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2014:0412 https://rhn.redhat.com/errata/RHSA-2014-0412.html

Comment 15 Stefan Cornelius 2014-04-17 10:27:56 UTC
OpenJDK upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/5ccfde781cdb

Comment 16 errata-xmlrpc 2014-04-17 11:41:59 UTC
This issue has been addressed in following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2014:0414 https://rhn.redhat.com/errata/RHSA-2014-0414.html

Comment 17 errata-xmlrpc 2014-05-13 19:48:08 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0486 https://rhn.redhat.com/errata/RHSA-2014-0486.html

Comment 18 errata-xmlrpc 2014-05-15 17:29:28 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0508 https://rhn.redhat.com/errata/RHSA-2014-0508.html

Comment 19 errata-xmlrpc 2014-05-15 18:22:35 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0509 https://rhn.redhat.com/errata/RHSA-2014-0509.html

Comment 20 Tomas Hoger 2014-06-09 09:07:20 UTC
*** Bug 1106388 has been marked as a duplicate of this bug. ***

Comment 21 errata-xmlrpc 2014-06-10 13:12:32 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2014:0705 https://rhn.redhat.com/errata/RHSA-2014-0705.html

Comment 23 errata-xmlrpc 2014-07-29 15:41:10 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4
  Red Hat Network Satellite Server v 5.5
  Red Hat Satellite Server v 5.6

Via RHSA-2014:0982 https://rhn.redhat.com/errata/RHSA-2014-0982.html

Comment 24 Petr Hracek 2015-02-24 14:52:02 UTC
All the bugs are closed. This bugzilla can be closed too.


Note You need to log in before you can comment on or make changes to this bug.