Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 626324 (CVE-2017-9614)

Summary: media-libs/libjpeg-turbo: Denial of Service (CVE-2017-9614)
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: anarchy, graphics+disabled, leio
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [upstream cve]
Package list:
Runtime testing required: ---

Description Aleksandr Wagner (Kivak) 2017-07-27 07:54:21 UTC 
CVE-2017-9614 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9614)

The fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted jpg file. 

References:

http://seclists.org/fulldisclosure/2017/Jul/66
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2017-07-27 12:11:11 UTC 
Vulnerability was reported (1) day ago.  1.5.2 was released 20 days ago.  jpegdatasrc.c has not been touched in over a year.  This has not been patched.
Comment 2 tt_1 2017-10-09 17:52:01 UTC 
This was reported on the github repo of upstream, seems as if this CVE is somehow wrongfully linked to them? 

https://github.com/libjpeg-turbo/libjpeg-turbo/issues/167#issuecomment-328582075

Which would explain the absence of any fix or commit in libjpeg-turbo's code.
Comment 3 Mart Raudsepp gentoo-dev 2018-03-03 12:23:54 UTC 
ping...
Comment 4 tt_1 2018-03-03 20:05:09 UTC 
According to the information from the link which I posted, the maintainer states that this is the result of an abuse of the ABI and the whole CVE is invalid. Feel free to double check his statement.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-09-06 23:19:53 UTC 
CVE was wrongly assigned to libjpeg-turbo.