Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626324 (CVE-2017-9614) - media-libs/libjpeg-turbo: Denial of Service (CVE-2017-9614)
Summary: media-libs/libjpeg-turbo: Denial of Service (CVE-2017-9614)
Status: RESOLVED INVALID
Alias: CVE-2017-9614
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [upstream cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-27 07:54 UTC by Aleksandr Wagner (Kivak)
Modified: 2019-09-06 23:19 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-07-27 07:54:21 UTC 
CVE-2017-9614 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9614)

The fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted jpg file. 

References:

http://seclists.org/fulldisclosure/2017/Jul/66
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2017-07-27 12:11:11 UTC 
Vulnerability was reported (1) day ago.  1.5.2 was released 20 days ago.  jpegdatasrc.c has not been touched in over a year.  This has not been patched.
Comment 2 tt_1 2017-10-09 17:52:01 UTC 
This was reported on the github repo of upstream, seems as if this CVE is somehow wrongfully linked to them? 

https://github.com/libjpeg-turbo/libjpeg-turbo/issues/167#issuecomment-328582075

Which would explain the absence of any fix or commit in libjpeg-turbo's code.
Comment 3 Mart Raudsepp gentoo-dev 2018-03-03 12:23:54 UTC 
ping...
Comment 4 tt_1 2018-03-03 20:05:09 UTC 
According to the information from the link which I posted, the maintainer states that this is the result of an abuse of the ABI and the whole CVE is invalid. Feel free to double check his statement.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-09-06 23:19:53 UTC 
CVE was wrongly assigned to libjpeg-turbo.