Bug 658624 (CVE-2018-1152, CVE-2018-11813)

Summary:	<media-libs/libjpeg-turbo-1.5.3-r2: multiple vulnerabilities (CVE-2018-{1152,11813})
Product:	Gentoo Security	Reporter:	Florian Schuhmacher <mynt1aa>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	anarchy, graphics+disabled
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6
Whiteboard:	B3 [noglsa]
Package list:	media-libs/libjpeg-turbo-1.5.3-r2	Runtime testing required:	---

Description Florian Schuhmacher 2018-06-21 05:30:02 UTC

libjpeg-turbo through version 1.5.90 is vulnerable to a divide by zero flaw in the rdbmp.c:start_input_bmp() function. An attacker could exploit this to cause a denial of service via crafted BMP image.

Gentoo Security Scout
Florian Schuhmacher

Comment 1 Larry the Git Cow gentoo-dev

2018-06-21 13:45:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6fd7dd5d9d605685ff7f62bebf6f56fd4dbb8b9

commit a6fd7dd5d9d605685ff7f62bebf6f56fd4dbb8b9
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2018-06-21 13:40:08 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2018-06-21 13:45:31 +0000

    media-libs/libjpeg-turbo: Revbump to fix division by zero.
    
    Bug: https://bugs.gentoo.org/658624
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 .../files/libjpeg-turbo-1.5.3-divzero_fix.patch    |  18 ++++
 .../files/libjpeg-turbo-1.5.90-divzero_fix.patch   |  41 +++++++
 .../libjpeg-turbo/libjpeg-turbo-1.5.3-r1.ebuild    | 120 +++++++++++++++++++++
 ....5.90.ebuild => libjpeg-turbo-1.5.90-r1.ebuild} |   8 +-
 4 files changed, 185 insertions(+), 2 deletions(-)

Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2018-06-21 13:47:11 UTC

I suggest to stabilize =media-libs/libjpeg-turbo-1.5.3-r1

Comment 3 Larry the Git Cow gentoo-dev

2018-08-16 11:02:43 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ba1f0cf1f00c16bd2efcf96fcba79f17dffc0ee

commit 0ba1f0cf1f00c16bd2efcf96fcba79f17dffc0ee
Author:     Jason Zaman <perfinion@gentoo.org>
AuthorDate: 2018-08-16 11:01:30 +0000
Commit:     Jason Zaman <perfinion@gentoo.org>
CommitDate: 2018-08-16 11:02:03 +0000

    media-libs/libjpeg-turbo-1.5.3-r2: Fix CVE-2018-11813
    
    libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF
    
    https://nvd.nist.gov/vuln/detail/CVE-2018-11813
    
    Bug: https://bugs.gentoo.org/658624
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 .../files/libjpeg-turbo-1.5.3-cve-2018-11813.patch | 45 ++++++++++++++++++++++
 ...5.3-r1.ebuild => libjpeg-turbo-1.5.3-r2.ebuild} |  1 +
 2 files changed, 46 insertions(+)

Comment 4 Jason Zaman gentoo-dev

2018-08-16 11:07:11 UTC

I backported another patch and updated to -r2. Can someone check if more things in the bug need updating

Comment 5 Jason Zaman gentoo-dev

2018-08-16 12:48:14 UTC

amd64 stable

Comment 6 Mart Raudsepp gentoo-dev

2018-08-16 13:37:52 UTC

arm64 stable

Comment 7 Rolf Eike Beer archtester

2018-08-16 20:18:00 UTC

sparc done.

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2018-08-18 22:34:41 UTC

x86 stable

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2018-08-18 22:47:50 UTC

ia64 stable

Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev

2018-08-18 22:51:03 UTC

ppc stable

Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev

2018-08-21 19:43:26 UTC

ppc64 stable

Comment 12 Markus Meier gentoo-dev

2018-08-21 20:14:27 UTC

arm stable

Comment 13 Markus Meier gentoo-dev

2018-08-21 20:21:02 UTC

not yet stabilized for arm, sorry for the noise.

Comment 14 Markus Meier gentoo-dev

2018-08-22 04:56:03 UTC

arm stable

Comment 15 Matt Turner gentoo-dev

2018-09-12 03:57:07 UTC

alpha stable. all archs stable

Comment 16 Sergei Trofimovich (RETIRED) gentoo-dev

2018-10-06 22:31:23 UTC

hppa stable

Comment 17 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2019-07-31 12:13:36 UTC

Security cleanup:

commit 1ee86697389926cb234fcac5f250cfba1fc289f5
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Thu Feb 28 11:42:45 2019

    media-libs/libjpeg-turbo: Removed old.

    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev

2019-07-31 23:30:33 UTC

All done, repository is clean.

GLSA Vote: No!