908520 – (CVE-2023-35790) <media-libs/libjxl-0.8.2: integer underflow leading to infinite loop

Bug 908520 (CVE-2023-35790) - <media-libs/libjxl-0.8.2: integer underflow leading to infinite loop

Summary: <media-libs/libjxl-0.8.2: integer underflow leading to infinite loop

Status:	CONFIRMED

Alias:	CVE-2023-35790

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/libjxl/libjxl/rele...
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:	922501
Blocks:
	Show dependency tree

Reported:	2023-06-15 05:49 UTC by John Helmert III
Modified:	2024-03-21 06:59 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-06-15 05:49:10 UTC

"### Changed
 - Security: Fix an integer underflow bug in patch decoding. (#2551)"

Please bump to 0.8.2.

Comment 1 Daniel Novomeský 2023-06-15 19:10:12 UTC

It's an infinite loop bug,
we will upgrade libjxl.

Comment 2 John Helmert III archtester

2023-06-19 02:45:44 UTC

This is CVE-2023-35790:

An issue was discovered in dec_patch_dictionary.cc in libjxl before 0.8.2. An integer underflow in patch decoding can lead to a denial of service, such as an infinite loop.

Comment 3 Daniel Novomeský 2024-01-07 19:51:27 UTC

I believe that libjxl-0.8.2-r1 should be made stable and older versions removed afterwards.

Comment 4 Michał Górny archtester

2024-03-20 16:49:30 UTC

cleanup done.