Bug 1937385 (CVE-2021-20205) - CVE-2021-20205 libjpeg-turbo: DoS via open crafted GIF
Summary: CVE-2021-20205 libjpeg-turbo: DoS via open crafted GIF
Keywords:
Status: NEW
Alias: CVE-2021-20205
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1937387 1937388 1938013
Blocks: 1937390
TreeView+ depends on / blocked
 
Reported: 2021-03-10 14:31 UTC by Dhananjay Arunesh
Modified: 2021-03-15 17:34 UTC (History)
11 users (show)

Fixed In Version: libjpeg-turbo 2.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libjpeg-turbo (versions 2.0.91 and 2.0.90) and is vulnerable to a denial of service issue caused by a divide by zero when processing a crafted GIF image. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2021-03-10 14:31:53 UTC
Libjpeg-turbo (versions 2.0.91 and 2.0.90) is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image.

References:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/493 [https://github.com/libjpeg-turbo/libjpeg-turbo/issues/493
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/1719d12e51641cce5c77e259516649ba5ef6303c

Comment 1 Dhananjay Arunesh 2021-03-10 14:32:55 UTC
Created libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 1937387]


Created mingw-libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 1937388]

Comment 2 DRC 2021-03-10 20:55:07 UTC
Denial of service?  Really?  What, pray tell, is the "service" that was being denied?  This bug was confined to the cjpeg application, whose main purpose is to demonstrate the usage of the libjpeg API library.  The library itself was not affected, and thus no other applications were affected.  Assigning a CVE to this seems like an overreaction, particularly given that the bug was a regression introduced by a new feature in a beta (non-production) release of libjpeg-turbo, and the bug was fixed two months before this Bugzilla issue was even created.  To those in the open source community, please stop abusing the term "DoS".  cjpeg is not, by any stretch of the imagination, a "service", and if it crashes rather than bowing out gracefully on a corrupt input image, that isn't a "denial of service."

Comment 5 Todd Cullum 2021-03-11 22:35:44 UTC
Statement:

This flaw does not affect versions of libjpeg-turbo shipped with Red Hat Enterprise Linux versions 6, 7, or 8. Additionally, it is not in the library, only the cjpeg utility.

Comment 6 DRC 2021-03-15 17:25:04 UTC
Correct.  More specifically, the flaw only affects libjpeg-turbo 2.1 beta1.  It was introduced as part of a new feature in libjpeg-turbo 2.1 that adds support for creating JPEG files from LZW-compressed GIF files using cjpeg.

Comment 7 DRC 2021-03-15 17:34:12 UTC
Also please note that 2.0.91 is not an official release of libjpeg-turbo.  2.0.90 is 2.1 beta1.  The version number in the Git repository was bumped to 2.0.91 for post-beta commits, but that version number would only become official if it were necessary to put out a beta2 release (which it isn't.)  Thus, to be 100% correct, this issue affects:

- The official 2.0.90 (2.1 beta1) release
- Any unofficial/pre-release builds with a version number of 2.0.91 and a build number < 20210114


Note You need to log in before you can comment on or make changes to this bug.