CVE-2022-34000: libjxl 0.6.1 has an assertion failure in LowMemoryRenderPipeline::Init() in render_pipeline/low_memory_render_pipeline.cc.
Looks like this is the patch: https://github.com/libjxl/libjxl/commit/aff17c4a57eb1e4d7ef00ea728d33cdb5b2ca9da So I guess we need another prerelease snapshot. The reporter's crash log has this, which *seemingly* indicates bad instructions were being run somehow, though I don't understand how that's possible via an assertion: [1] 888096 illegal hardware instruction ./decode_oneshot /tmp/poc /dev/null /dev/null Maintainer, please bump.
libjxl is at v0.7rc now but there are some fixes in v0.7.x afterwards. I am not sure now if to bump to the release candidate or it is better to wait till 0.7.0 is finished.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f8700605508d306aab8214eeb93fd55a00921a2 commit 4f8700605508d306aab8214eeb93fd55a00921a2 Author: Daniel Novomesky <dnovomesky@gmail.com> AuthorDate: 2022-09-02 19:43:46 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2022-09-14 18:12:48 +0000 media-libs/libjxl: version bump to 20220825 snapshot Bug: https://bugs.gentoo.org/856037 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Daniel Novomesky <dnovomesky@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/27119 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/libjxl/Manifest | 1 + media-libs/libjxl/libjxl-0.7.0_pre20220825.ebuild | 74 +++++++++++++++++++++++ 2 files changed, 75 insertions(+)
Thanks! Please stabilize when ready
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37df8b41e718e5052e2b28a7edb0f55052f28e89 commit 37df8b41e718e5052e2b28a7edb0f55052f28e89 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2022-10-17 10:03:14 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2022-10-20 10:37:26 +0000 media-libs/libjxl: drop 0.7.0_pre20220511 Bug: https://bugs.gentoo.org/856037 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/libjxl/Manifest | 1 - media-libs/libjxl/libjxl-0.7.0_pre20220511.ebuild | 74 ----------------------- 2 files changed, 75 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=387bed64e6b1172ee7b989c615970ef056bcb513 commit 387bed64e6b1172ee7b989c615970ef056bcb513 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2022-10-25 16:02:36 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2022-10-25 16:20:06 +0000 media-libs/libjxl: unkeyword 0.7.0_pre20220329 for !arm Bug: https://bugs.gentoo.org/856037 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/libjxl/libjxl-0.7.0_pre20220329.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
All vulnerable versions have been cleaned up.
Thanks! Any input on the impact? Not sure how the reporter hit an illegal hardware instruction from an assertion failure.
(In reply to John Helmert III from comment #8) > Thanks! Any input on the impact? Not sure how the reporter hit an illegal > hardware instruction from an assertion failure. The whole impact is that corrupted file can close the whole application. Because there was check which called abort in unnecessary situation.
(In reply to Daniel Novomeský from comment #9) > (In reply to John Helmert III from comment #8) > > Thanks! Any input on the impact? Not sure how the reporter hit an illegal > > hardware instruction from an assertion failure. > > The whole impact is that corrupted file can close the whole application. > Because there was check which called abort in unnecessary situation. How does that explain the illegal hardware instruction in the report? That would seem to indicate that the process's control flow was changed, making the vulnerability worse than only DoS.
I suspect that the so-called "illegal hardware instruction" is merely a result of calling __builtin_trap(); inside ::jxl::Abort();
We'll just treat as DoS then.
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=fa42391426f1eebc137dfc86e850a0a5d16bb385 commit fa42391426f1eebc137dfc86e850a0a5d16bb385 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 20:21:23 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 20:25:50 +0000 [ GLSA 202210-36 ] libjxl: Denial of Service Bug: https://bugs.gentoo.org/856037 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-36.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
GLSA released, all done!
