In libjpeg-turbo, there is heap-buffer-overflow at /libjpeg-turbo/jdmrgext.c:126 in h2v2_merged_upsample_internal(), leadin causing crash. https://github.com/libjpeg-turbo/libjpeg-turbo/issues/675 https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9f756bc67a84d4566bf74a0c2432aa55da404021
Created libjpeg-turbo tracking bugs for this issue: Affects: fedora-all [bug 2208448]
Notes regarding this issue: The following GitHub issues were filed between 2023-03-26 and 2023-04-02, describing various segfaults and buffer overruns that could be triggered in libjpeg-turbo 3.0 beta2 with various specially-crafted malformed 12-bit-per-sample lossless JPEG images: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/670 https://github.com/libjpeg-turbo/libjpeg-turbo/issues/672 https://github.com/libjpeg-turbo/libjpeg-turbo/issues/673 https://github.com/libjpeg-turbo/libjpeg-turbo/issues/674 https://github.com/libjpeg-turbo/libjpeg-turbo/issues/675 https://github.com/libjpeg-turbo/libjpeg-turbo/issues/676 https://github.com/libjpeg-turbo/libjpeg-turbo/issues/677 https://github.com/libjpeg-turbo/libjpeg-turbo/issues/678 https://github.com/libjpeg-turbo/libjpeg-turbo/issues/679 https://github.com/libjpeg-turbo/libjpeg-turbo/issues/681 https://github.com/libjpeg-turbo/libjpeg-turbo/issues/683 https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9f756bc67a84d4566bf74a0c2432aa55da404021 (2023-04-04) fixed those issues by range-limiting the samples output by the 12-bit lossless decompressor. CVE-2023-2804 was published on 2023-05-25, and it links to the aforementioned commit. However, further research revealed two related issues that were not fixed by the aforementioned commit: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/690 (2023-05-11) https://github.com/libjpeg-turbo/libjpeg-turbo/issues/701 (2023-06-25) Ultimately all of the issues above were due to the fact that the merged upsampling and color quantization modules were never designed to work with lossless decompression, so it was possible for specially-crafted malformed 12-bit-per-sample and 16-bit-per-sample lossless JPEG images to cause the lossless decompressor to produce samples that overflowed tables in the merged upsampler or color quantizer. Thus, libjpeg-turbo 3.0.0 disables both of those modules when decompressing lossless JPEG images: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2192560d74e6e6cf99dd05928885573be00a8208 https://github.com/libjpeg-turbo/libjpeg-turbo/commit/bf9f319cb4b86b130bee16af19fee95a1cdb5ef2 Doing so obviated https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9f756bc67a84d4566bf74a0c2432aa55da404021, so that commit was reverted. In other words, the description of CVE-2023-2804 links to a commit that never actually made it into the libjpeg-turbo 3.0.0 code base. The other two commits linked above are the final released fixes, which cover not only the 11 issues discovered in March/April but also the two issues discovered in May/June. tl;dr: - All 13 issues existed in libjpeg-turbo 3.0 beta2. - None of those issues exists in libjpeg-turbo 3.0.0. - CVE-2023-2804 describes all 13 issues, but it links to a preliminary fix that was ultimately reverted and never released. - The commits that ultimately fixed all issues and were released in libjpeg-turbo 3.0.0 are https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2192560d74e6e6cf99dd05928885573be00a8208 and https://github.com/libjpeg-turbo/libjpeg-turbo/commit/bf9f319cb4b86b130bee16af19fee95a1cdb5ef2. Thank you for attending my TED talk.