RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1318509 - null pointer dereference in libjpeg library in cjpeg
Summary: null pointer dereference in libjpeg library in cjpeg
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libjpeg-turbo
Version: 7.4
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Nikola Forró
QA Contact: Jan Houska
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-17 06:16 UTC by Aladdin Mubaied
Modified: 2019-08-06 12:39 UTC (History)
3 users (show)

Fixed In Version: libjpeg-turbo-1.2.90-7.el7
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:39:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
crasher (25 bytes, application/octet-stream)
2016-03-17 06:16 UTC, Aladdin Mubaied 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2052 0 None None None 2019-08-06 12:39:29 UTC

Description Aladdin Mubaied 2016-03-17 06:16:11 UTC 
Created attachment 1137318 [details]
crasher

I would like to report a null pointer dereference in libjpeg library in rdppm.c:153. here is the details:

This bug can be used to cause a denial of service attack and some cases remote code execution if the library is used in a system accepts users input. please assign a cve for this issue.

$ cjpeg crasher
Starting program: /opt/libjpeg/bin/cjpeg crasher
Program received signal SIGSEGV, Segmentation fault.

bt:
*#0 get_text_gray_row (cinfo=0x7fffffffe2c0, sinfo=<optimized out="">) at rdppm.c:153
1 0x0000000000401996 in main (argc=0x2, argv=0x7fffffffe618) at cjpeg.c:6**42
2 0x00007ffff7738af5 in __libc_start_main () from /lib64/libc.so.6
3 0x0000000000401e2d in _start ()

*ptr++ = rescale[read_pbm_integer(cinfo, infile)];
=> 0x407b08 <get_text_gray_row+200>: movzx esi,BYTE PTR [r13+rcx*1+0x0]

gdb$ p $r13+$rcx*1+0x0

gdb$ $8 = 0x92d91bc1
gdb$ x/x 0x92d91bc1
0x92d91bc1: Cannot access memory at address 0x92d91bc1

Thanks 
Aladdin Mubaied
Comment 2 Aladdin Mubaied 2016-03-18 21:58:53 UTC 
please note that i have requested a CVE ID for this bug from CVE-assign.
Comment 3 Aladdin Mubaied 2016-03-18 23:25:02 UTC 
MITRE has assigned the following CVE ID to the bug CVE-2016-3616.
Comment 4 Huzaifa S. Sidhpurwala 2016-03-25 04:38:03 UTC 
Aladdin,

After analyzing this issue, it seems that the flaw is in the cjpeg utility shipped with libjpeg and not in the library itself. The cjpeg utility is used to compress an image file and produce a JPEG image.

Interestingly when i run this file through netpbm (pgmtopbm), it correctly handles it and the following message is printed:

pamditherbw: ASCII decimal integer in file is too large to be processed.  
P4
23 1
pamtopnm: End of file encountered when trying to read a row from input file.


which shows that it is doing the right thing.

The above being said, i want to make this bug public, since it does not sound very serious, you ok with that?
Comment 5 Aladdin Mubaied 2016-03-25 04:46:14 UTC 
Sure if the issue is only in the cjpeg utility, you can make this bug public. ty
Comment 6 Huzaifa S. Sidhpurwala 2016-03-30 09:12:51 UTC 
This bug corresponds to the security flaw at:
https://bugzilla.redhat.com/show_bug.cgi?id=1319661
Comment 9 Jan Houska 2019-06-20 14:06:02 UTC 
VERIFIED

NEW PASS:
libjpeg-turbo-1.2.90-8.el7

::   Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 17:46:16 ] :: [  BEGIN   ] :: Running reproducer :: actually running 'cjpeg crasherfile'
Numeric value out of range in PPM file
:: [ 17:46:16 ] :: [   PASS   ] :: Running reproducer (Expected 1, got 1)
:: [ 17:46:16 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.B9reO9C3' should contain 'Numeric value out of range in PPM file' 
:: [ 17:46:16 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.B9reO9C3' should not contain 'Segmentation fault' 
--cat /var/tmp/rlRun_LOG.B9reO9C3------------------------
Numeric value out of range in PPM file
-/cat /var/tmp/rlRun_LOG.B9reO9C3------------------------
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 0s
::   Assertions: 3 good, 0 bad
::   RESULT: PASS




OLD FAIL:
libjpeg-turbo-1.2.90-6.el7


::   Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 17:13:24 ] :: [  BEGIN   ] :: Running reproducer :: actually running 'cjpeg crasherfile'
/usr/share/beakerlib/testing.sh: line 873: 13225 Segmentation fault      cjpeg crasherfile
:: [ 17:13:24 ] :: [   FAIL   ] :: Running reproducer (Expected 1, got 139)
:: [ 17:13:24 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.4rNn2hSM' should contain 'Numeric value out of range in PPM file' 
:: [ 17:13:24 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.4rNn2hSM' should not contain 'Segmentation fault' 
--cat /var/tmp/rlRun_LOG.4rNn2hSM------------------------
/usr/share/beakerlib/testing.sh: line 873: 13225 Segmentation fault      cjpeg crasherfile
-/cat /var/tmp/rlRun_LOG.4rNn2hSM------------------------
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 1s
::   Assertions: 0 good, 3 bad
::   RESULT: FAIL
Comment 11 errata-xmlrpc 2019-08-06 12:39:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2052
Note You need to log in before you can comment on or make changes to this bug.