Bug 2208447 (CVE-2023-2804) - CVE-2023-2804 libjpeg-turbo: heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c
Summary: CVE-2023-2804 libjpeg-turbo: heap-buffer-overflow in h2v2_merged_upsample_int...
Keywords:
Status: NEW
Alias: CVE-2023-2804
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2208448
Blocks: 2193322
TreeView+ depends on / blocked
 
Reported: 2023-05-19 06:29 UTC by TEJ RATHI
Modified: 2024-03-19 13:12 UTC (History)
19 users (show)

Fixed In Version: libjpeg-turbo 3.0-beta2
Doc Type: If docs needed, set a value
Doc Text:
A heap-based buffer overflow issue was found in libjpeg-turbo in the h2v2_merged_upsample_internal() function in the jdmrgext.c file. This issue can only be used with 12-bit data precision for which the range of the sample data type exceeds the valid sample range. This could allow an attacker to craft a 12-bit lossless JPEG image that contains out-of-range 12-bit samples. An application attempting to decompress such an image using merged upsampling would lead to segmentation fault or buffer overflows, causing an application to crash.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description TEJ RATHI 2023-05-19 06:29:22 UTC
In libjpeg-turbo, there is heap-buffer-overflow at /libjpeg-turbo/jdmrgext.c:126 in h2v2_merged_upsample_internal(), leadin causing crash.

https://github.com/libjpeg-turbo/libjpeg-turbo/issues/675 
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9f756bc67a84d4566bf74a0c2432aa55da404021

Comment 1 TEJ RATHI 2023-05-19 06:29:39 UTC
Created libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 2208448]

Comment 5 DRC 2023-07-11 15:27:08 UTC
Notes regarding this issue:

The following GitHub issues were filed between 2023-03-26 and 2023-04-02, describing various segfaults and buffer overruns that could be triggered in libjpeg-turbo 3.0 beta2 with various specially-crafted malformed 12-bit-per-sample lossless JPEG images:

https://github.com/libjpeg-turbo/libjpeg-turbo/issues/670
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/672
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/673
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/674
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/675
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/676
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/677
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/678
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/679
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/681
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/683

https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9f756bc67a84d4566bf74a0c2432aa55da404021 (2023-04-04) fixed those issues by range-limiting the samples output by the 12-bit lossless decompressor.  CVE-2023-2804 was published on 2023-05-25, and it links to the aforementioned commit.  However, further research revealed two related issues that were not fixed by the aforementioned commit:

https://github.com/libjpeg-turbo/libjpeg-turbo/issues/690 (2023-05-11)
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/701 (2023-06-25)

Ultimately all of the issues above were due to the fact that the merged upsampling and color quantization modules were never designed to work with lossless decompression, so it was possible for specially-crafted malformed 12-bit-per-sample and 16-bit-per-sample lossless JPEG images to cause the lossless decompressor to produce samples that overflowed tables in the merged upsampler or color quantizer.  Thus, libjpeg-turbo 3.0.0 disables both of those modules when decompressing lossless JPEG images:

https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2192560d74e6e6cf99dd05928885573be00a8208
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/bf9f319cb4b86b130bee16af19fee95a1cdb5ef2

Doing so obviated https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9f756bc67a84d4566bf74a0c2432aa55da404021, so that commit was reverted.  In other words, the description of CVE-2023-2804 links to a commit that never actually made it into the libjpeg-turbo 3.0.0 code base.  The other two commits linked above are the final released fixes, which cover not only the 11 issues discovered in March/April but also the two issues discovered in May/June.

tl;dr:
- All 13 issues existed in libjpeg-turbo 3.0 beta2.
- None of those issues exists in libjpeg-turbo 3.0.0.
- CVE-2023-2804 describes all 13 issues, but it links to a preliminary fix that was ultimately reverted and never released.
- The commits that ultimately fixed all issues and were released in libjpeg-turbo 3.0.0 are https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2192560d74e6e6cf99dd05928885573be00a8208 and https://github.com/libjpeg-turbo/libjpeg-turbo/commit/bf9f319cb4b86b130bee16af19fee95a1cdb5ef2.

Thank you for attending my TED talk.


Note You need to log in before you can comment on or make changes to this bug.