It was reported [1],[2] that libjpeg and libjpeg-turbo would use uninitialized memory when decoding images with missing SOS data for the luminance component (Y) in the presence of valid chroma data (Cr, Cb). An example proof of concept that can be viewed in a browser is also available [3]. This was reported and fixed initially in Google Chrome/Chromium; it does not appear to be fixed in upstream libjpeg or libjpeg-turbo yet. Patches to the third party source in Chromium for libjpeg [4] and libjpeg-turbo [5] however are available. [1] http://googlechromereleases.blogspot.de/2013/11/stable-channel-update.html [2] http://packetstormsecurity.com/files/123989/IJG-jpeg6b-libjpeg-turbo-Uninitialized-Memory.html [3] http://lcamtuf.coredump.cx/jpeg_leak/ [4] http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libjpeg/jdmarker.c?r1=228354&r2=228353&pathrev=228354 [5] http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/libjpeg_turbo/jdmarker.c?r1=228381&r2=228380&pathrev=228381
Created libjpeg-turbo tracking bugs for this issue: Affects: fedora-all [bug 1031737]
Created mingw-libjpeg-turbo tracking bugs for this issue: Affects: fedora-all [bug 1031740]
Created mingw32-libjpeg tracking bugs for this issue: Affects: epel-5 [bug 1031741]
The Chromium bug is https://code.google.com/p/chromium/issues/detail?id=258723 but it's not currently public.
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6629 to the following vulnerability: Name: CVE-2013-6629 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629 Assigned: 20131105 Reference: FULLDISC:20131112 bugs in IJG jpeg6b & libjpeg-turbo Reference: http://archives.neohapsis.com/archives/fulldisclosure/2013-11/0080.html Reference: http://bugs.ghostscript.com/show_bug.cgi?id=686980 Reference: http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html Reference: https://code.google.com/p/chromium/issues/detail?id=258723 Reference: https://src.chromium.org/viewvc/chrome?revision=229729&view=revision The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:1804 https://rhn.redhat.com/errata/RHSA-2013-1804.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1803 https://rhn.redhat.com/errata/RHSA-2013-1803.html
Michal Zalewski's test page for this bug: http://lcamtuf.coredump.cx/jpeg_leak/
This issue has been addressed in following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2014:0413 https://rhn.redhat.com/errata/RHSA-2014-0413.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2014:0412 https://rhn.redhat.com/errata/RHSA-2014-0412.html
OpenJDK upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/5ccfde781cdb
This issue has been addressed in following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2014:0414 https://rhn.redhat.com/errata/RHSA-2014-0414.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2014:0486 https://rhn.redhat.com/errata/RHSA-2014-0486.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2014:0508 https://rhn.redhat.com/errata/RHSA-2014-0508.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2014:0509 https://rhn.redhat.com/errata/RHSA-2014-0509.html
*** Bug 1106388 has been marked as a duplicate of this bug. ***
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 7 Via RHSA-2014:0705 https://rhn.redhat.com/errata/RHSA-2014-0705.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Red Hat Network Satellite Server v 5.5 Red Hat Satellite Server v 5.6 Via RHSA-2014:0982 https://rhn.redhat.com/errata/RHSA-2014-0982.html
All the bugs are closed. This bugzilla can be closed too.