Bug 727010 (CVE-2020-13790)

Summary:	<media-libs/libjpeg-turbo-{1.5.3-r3,2.0.4-r1}: Buffer overflow in get_rgb_row() via malformed PPM file (CVE-2020-13790)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	ajak, codec
Priority:	Normal	Flags:	nattka: sanity-check-
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a
See Also:	https://github.com/gentoo/gentoo/pull/16184 https://bugs.gentoo.org/show_bug.cgi?id=715406
Whiteboard:	A3 [glsa+ cve]
Package list:	=media-libs/libjpeg-turbo-1.5.3-r3 =media-libs/libjpeg-turbo-2.0.4-r1	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	727910

Description Sam James archtester

2020-06-03 20:20:50 UTC

Description:
"libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file."

https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a

https://github.com/libjpeg-turbo/libjpeg-turbo/issues/433

Comment 1 Larry the Git Cow gentoo-dev

2020-06-13 16:30:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8110962edc520001b3d2059be69702a1ceccee9b

commit 8110962edc520001b3d2059be69702a1ceccee9b
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-06-11 00:37:52 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-06-13 16:30:39 +0000

    media-libs/libjpeg-turbo: Patch CVE-2020-13790
    
    Bug: https://bugs.gentoo.org/727010
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/16184

 .../files/libjpeg-turbo-1.5.3-CVE-2020-13790.patch |  43 ++++++++
 .../files/libjpeg-turbo-2.0.4-CVE-2020-13790.patch |  34 ++++++
 .../libjpeg-turbo/libjpeg-turbo-1.5.3-r3.ebuild    | 122 +++++++++++++++++++++
 .../libjpeg-turbo/libjpeg-turbo-2.0.4-r1.ebuild    | 108 ++++++++++++++++++
 4 files changed, 307 insertions(+)

Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev

2020-06-14 20:30:15 UTC

ppc64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2020-06-15 15:01:46 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2020-06-15 15:04:59 UTC

arm stable

Comment 5 Agostino Sarubbo gentoo-dev

2020-06-15 15:13:08 UTC

sparc stable

Comment 6 Sam James archtester

2020-06-17 14:23:30 UTC

arm64 stable

Comment 7 Rolf Eike Beer archtester

2020-06-18 06:55:13 UTC

hppa stable

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2020-06-20 13:50:32 UTC

x86 stable

Comment 9 Sam James archtester

2020-07-17 00:02:52 UTC

@ppc: ping

Comment 10 Larry the Git Cow gentoo-dev

2020-08-08 04:42:43 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3b6a9195cdcad8e233e5f570114c8ff18f68327

commit c3b6a9195cdcad8e233e5f570114c8ff18f68327
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-08 04:42:00 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-08 04:42:08 +0000

    media-libs/libjpeg-turbo: fix tests on ppc
    
    Fix tests on PPC by applying upstream-recommended
    workaround (-DFLOATTEST=64bit).
    
    See https://github.com/libjpeg-turbo/libjpeg-turbo/issues/428
    for details.
    
    Bug: https://bugs.gentoo.org/727010
    Closes: https://bugs.gentoo.org/715406
    Thanks-to: ernsteiswuerfel <erhard_f@mailbox.org>
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libjpeg-turbo/libjpeg-turbo-2.0.4-r1.ebuild | 9 +++++++++
 media-libs/libjpeg-turbo/libjpeg-turbo-2.0.5.ebuild    | 9 +++++++++
 2 files changed, 18 insertions(+)

Comment 11 ernsteiswuerfel archtester

2020-08-10 20:28:03 UTC

Looking good on ppc.

 # cat libjpeg-turbo-727010.report 
USE tests started on Mo 10. Aug 22:05:15 CEST 2020

FEATURES=' test' USE='' succeeded for =media-libs/libjpeg-turbo-1.5.3-r3
USE='-static-libs' succeeded for =media-libs/libjpeg-turbo-1.5.3-r3
USE='static-libs' succeeded for =media-libs/libjpeg-turbo-1.5.3-r3

FEATURES=' test' USE='' succeeded for =media-libs/libjpeg-turbo-2.0.4-r1
USE='-static-libs' succeeded for =media-libs/libjpeg-turbo-2.0.4-r1
USE='static-libs' succeeded for =media-libs/libjpeg-turbo-2.0.4-r1


rdeps pulled in from tatt for testing are seamonkey, thunderbird which both are not keyworded on ppc (ppc64 only).

Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev

2020-08-11 07:24:04 UTC

ppc stable thanks to ernsteiswuerfel!

Comment 13 John Helmert III archtester

2020-09-20 16:18:05 UTC

Need cleanup and GLSA.

Comment 14 Larry the Git Cow gentoo-dev

2020-10-04 17:39:21 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3090e82542e7c97c9555f9968bc02664d99774a0

commit 3090e82542e7c97c9555f9968bc02664d99774a0
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-10-04 17:38:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-10-04 17:39:15 +0000

    media-libs/libjpeg-turbo: security cleanup
    
    Bug: https://bugs.gentoo.org/727010
    Bug: https://bugs.gentoo.org/727910
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libjpeg-turbo/Manifest                  |   1 -
 .../libjpeg-turbo/libjpeg-turbo-2.0.3.ebuild       | 100 ---------------------
 2 files changed, 101 deletions(-)

Comment 15 NATTkA bot gentoo-dev

2020-10-04 17:41:17 UTC

Unable to check for sanity:

> no match for package: =media-libs/libjpeg-turbo-2.0.4-r1

Comment 16 NATTkA bot gentoo-dev

2020-10-18 00:57:49 UTC

Unable to check for sanity:

> no match for package: =media-libs/libjpeg-turbo-1.5.3-r3

Comment 17 Sam James archtester

2021-01-25 23:46:49 UTC

Done in https://security.gentoo.org/glsa/202010-03.