Bug 1770982 (CVE-2019-2201) - CVE-2019-2201 libjpeg-turbo: several integer overflows and subsequent segfaults when attempting to compress/decompress gigapixel images
Summary: CVE-2019-2201 libjpeg-turbo: several integer overflows and subsequent segfaul...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-2201
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1850477 (view as bug list)
Depends On: 1770988 1770989 1770990 1774349 1774350 1774351
Blocks: 1770986 1849067
TreeView+ depends on / blocked
 
Reported: 2019-11-11 16:15 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-10-25 09:54 UTC (History)
10 users (show)

Fixed In Version: libjpeg-turbo 2.0.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-25 09:54:38 UTC
Embargoed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-11-11 16:15:28 UTC
Several integer overflow issues and subsequent segfaults occur in libjpeg-turbo when attempting to compress or decompress gigapixel images.

Reference:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361

Upstream commit:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2a9e3bd7430cfda1bc812d139e0609c6aca0b884

Comment 1 Guilherme de Almeida Suckevicz 2019-11-11 16:17:58 UTC
Created libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 1770988]


Created mingw-libjpeg-turbo tracking bugs for this issue:

Affects: epel-7 [bug 1770990]
Affects: fedora-all [bug 1770989]

Comment 2 Huzaifa S. Sidhpurwala 2019-11-20 05:19:01 UTC
The initial commit done by upstream at https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2a9e3bd7430cfda1bc812d139e0609c6aca0b884 is incomplete, and should be followed by the commit at: https://github.com/clearlinux-pkgs/libjpeg-turbo/commit/0a5d06c3dd4a64754d7e6ffa081fd9132714f74c

Analysis:

This is flaw is an integer overflow, due to large image sizes i.e. more than one billion pixels. It could lead to subsequent buffer overflows later in the code. However you need a really large image to trigger this.

Comment 4 Huzaifa S. Sidhpurwala 2020-07-06 04:37:56 UTC
*** Bug 1850483 has been marked as a duplicate of this bug. ***

Comment 5 Huzaifa S. Sidhpurwala 2020-07-23 04:32:49 UTC
As mentioned in comment #2, there are two commits which are needed to fix this flaw:

1. https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2a9e3bd7430cfda1bc812d139e0609c6aca0b884 -> this is a part of libjpeg-turbo 2.0.3

2. https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c30b1e72dac76343ef9029833d1561de07d29bad -> this is a part of libjpeg-turbo 2.0.4

Comment 6 Huzaifa S. Sidhpurwala 2020-07-23 04:48:43 UTC
*** Bug 1850477 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.