Bug 1734637 (CVE-2019-13960) - CVE-2019-13960 libjpeg-turbo: denial of service due to incorrect width and height value of JPEG image
Summary: CVE-2019-13960 libjpeg-turbo: denial of service due to incorrect width and he...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2019-13960
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1734642 1734639 1734640
Blocks: 1734641
TreeView+ depends on / blocked
 
Reported: 2019-07-31 07:00 UTC by Dhananjay Arunesh
Modified: 2019-09-29 15:18 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-22 05:37:21 UTC


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-07-31 07:00:58 UTC
A vulnerability was found in libjpeg-turbo 2.0.2, a large amount of memory can be used during processing of an invalid progressive JPEG image containing incorrect width and height values in the image header. NOTE: the vendor's expectation, for use cases in which this memory usage would be a denial of service, is that the application should interpret libjpeg warnings as fatal errors (aborting decompression) and/or set limits on resource consumption or image sizes.

Reference:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/337
https://libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf

Comment 1 Dhananjay Arunesh 2019-07-31 07:01:22 UTC
Created mingw-libjpeg-turbo tracking bugs for this issue:

Affects: epel-7 [bug 1734640]
Affects: fedora-all [bug 1734639]

Comment 2 Dhananjay Arunesh 2019-07-31 07:02:48 UTC
Created libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 1734642]

Comment 3 Huzaifa S. Sidhpurwala 2019-08-22 05:37:21 UTC
Analysis:

As per upstream, this is a corner case of handling JPGEG images, in which the header says that the size of the JPEG image is 32k x 64k, however the decompresser is not able to handle the data, progressive decompression. libjpeg prints a warning and goes ahead with decompression, which results in large amount memory being allocated and in the end may result in DoS via memory exhaustion or even application crash.

Upstream suggests that applications compiled against libjpeg-turbo should treat these warnings and fatal and abort parsing the image. They do not consider this issue as a security flaw, therefore no patch will be available.

Comment 4 Huzaifa S. Sidhpurwala 2019-08-22 05:37:25 UTC
Statement:

Upstream suggests that applications compiled against libjpeg-turbo should treat these warnings and fatal and abort parsing the image. They do not consider this issue as a security flaw.


Note You need to log in before you can comment on or make changes to this bug.