Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 699830 (CVE-2019-2201)

Summary: <media-libs/libjpeg-turbo-2.0.3: several integer overflows and subsequent segfaults when attempting to compress/decompress gigapixel images (CVE-2019-2201)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: graphics+disabled, nobrowser, sam
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa+ cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2019-11-11 16:32:00 UTC
CVE-2019-2201 (
  Several integer overflows and subsequent segfaults when attempting to
  compress/decompress gigapixel images.
Comment 1 Agostino Sarubbo gentoo-dev 2019-11-12 10:07:28 UTC
x86 stable
Comment 2 Agostino Sarubbo gentoo-dev 2019-11-12 10:13:52 UTC
sparc stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-11-12 15:09:05 UTC
ppc64 stable
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2019-11-12 20:08:20 UTC
arm64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-11-13 07:41:28 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-11-13 07:45:43 UTC
amd64 stable
Comment 7 Rolf Eike Beer archtester 2019-11-13 21:48:27 UTC
hppa stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-11-14 11:57:59 UTC
ia64 stable
Comment 9 Matt Turner gentoo-dev 2019-11-17 07:22:02 UTC
alpha stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-22 09:37:36 UTC
arm stable
Comment 11 Ian Zimmerman 2019-12-16 18:37:06 UTC
I'd like to point out that in the announcement of this bug on oss-security [1], it says:

> integer overflow and subsequent heap corruption in libjpeg-turbo *2.0.3 and earlier*

(emph mine)

If that is right, a simple bump to 2.0.3 would not have fixed it in our distro.

I tried to follow the link to NIST, but there it is stated in term of Android versions only, and my eyes glaze over.  Sorry, please someone follow up.

Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 04:49:17 UTC
@ Ian: This bug is about CVE-2019-2201 which is linked to and this commit is present in v2.0.3. I guess the CVE text is not correct. If you have any other information, please share.

New GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 14:29:34 UTC
This issue was resolved and addressed in
 GLSA 202003-23 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2020-10-18 00:26:43 UTC
*** Bug 727910 has been marked as a duplicate of this bug. ***