Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 856037 (CVE-2022-34000)

Summary: <media-libs/libjxl-0.7.0_pre20220825: assertion failure
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: dnovomesky, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/libjxl/libjxl/issues/1477
See Also: https://github.com/gentoo/gentoo/pull/27119
https://github.com/gentoo/gentoo/pull/27839
https://github.com/gentoo/gentoo/pull/27947
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 877289    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-03 02:03:53 UTC
CVE-2022-34000:

libjxl 0.6.1 has an assertion failure in LowMemoryRenderPipeline::Init() in render_pipeline/low_memory_render_pipeline.cc.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-18 01:04:13 UTC
Looks like this is the patch:

https://github.com/libjxl/libjxl/commit/aff17c4a57eb1e4d7ef00ea728d33cdb5b2ca9da

So I guess we need another prerelease snapshot. The reporter's crash log has this, which *seemingly* indicates bad instructions were being run somehow, though I don't understand how that's possible via an assertion:

[1]    888096 illegal hardware instruction  ./decode_oneshot /tmp/poc /dev/null /dev/null

Maintainer, please bump.
Comment 2 Daniel Novomeský 2022-09-02 16:26:47 UTC
libjxl is at v0.7rc now but there are some fixes in v0.7.x afterwards.

I am not sure now if to bump to the release candidate or it is better to wait till 0.7.0 is finished.
Comment 3 Larry the Git Cow gentoo-dev 2022-09-14 18:18:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f8700605508d306aab8214eeb93fd55a00921a2

commit 4f8700605508d306aab8214eeb93fd55a00921a2
Author:     Daniel Novomesky <dnovomesky@gmail.com>
AuthorDate: 2022-09-02 19:43:46 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-09-14 18:12:48 +0000

    media-libs/libjxl: version bump to 20220825 snapshot
    
    Bug: https://bugs.gentoo.org/856037
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Daniel Novomesky <dnovomesky@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/27119
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/libjxl/Manifest                        |  1 +
 media-libs/libjxl/libjxl-0.7.0_pre20220825.ebuild | 74 +++++++++++++++++++++++
 2 files changed, 75 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-14 18:31:33 UTC
Thanks! Please stabilize when ready
Comment 5 Larry the Git Cow gentoo-dev 2022-10-20 10:37:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37df8b41e718e5052e2b28a7edb0f55052f28e89

commit 37df8b41e718e5052e2b28a7edb0f55052f28e89
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-10-17 10:03:14 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-10-20 10:37:26 +0000

    media-libs/libjxl: drop 0.7.0_pre20220511
    
    Bug: https://bugs.gentoo.org/856037
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/libjxl/Manifest                        |  1 -
 media-libs/libjxl/libjxl-0.7.0_pre20220511.ebuild | 74 -----------------------
 2 files changed, 75 deletions(-)
Comment 6 Larry the Git Cow gentoo-dev 2022-10-25 16:20:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=387bed64e6b1172ee7b989c615970ef056bcb513

commit 387bed64e6b1172ee7b989c615970ef056bcb513
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-10-25 16:02:36 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-10-25 16:20:06 +0000

    media-libs/libjxl: unkeyword 0.7.0_pre20220329 for !arm
    
    Bug: https://bugs.gentoo.org/856037
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/libjxl/libjxl-0.7.0_pre20220329.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 7 Andreas Sturmlechner gentoo-dev 2022-10-25 18:37:18 UTC
All vulnerable versions have been cleaned up.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-25 22:21:10 UTC
Thanks! Any input on the impact? Not sure how the reporter hit an illegal hardware instruction from an assertion failure.
Comment 9 Daniel Novomeský 2022-10-27 10:53:33 UTC
(In reply to John Helmert III from comment #8)
> Thanks! Any input on the impact? Not sure how the reporter hit an illegal
> hardware instruction from an assertion failure.

The whole impact is that corrupted file can close the whole application. Because there was check which called abort in unnecessary situation.
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-27 16:38:14 UTC
(In reply to Daniel Novomeský from comment #9)
> (In reply to John Helmert III from comment #8)
> > Thanks! Any input on the impact? Not sure how the reporter hit an illegal
> > hardware instruction from an assertion failure.
> 
> The whole impact is that corrupted file can close the whole application.
> Because there was check which called abort in unnecessary situation.

How does that explain the illegal hardware instruction in the report? That would seem to indicate that the process's control flow was changed, making the vulnerability worse than only DoS.
Comment 11 Daniel Novomeský 2022-10-27 17:08:26 UTC
I suspect that the so-called "illegal hardware instruction" is merely a result of calling __builtin_trap(); inside ::jxl::Abort();
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-30 03:37:23 UTC
We'll just treat as DoS then.
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 14:43:03 UTC
GLSA request filed.
Comment 14 Larry the Git Cow gentoo-dev 2022-10-31 20:26:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=fa42391426f1eebc137dfc86e850a0a5d16bb385

commit fa42391426f1eebc137dfc86e850a0a5d16bb385
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 20:21:23 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 20:25:50 +0000

    [ GLSA 202210-36 ] libjxl: Denial of Service
    
    Bug: https://bugs.gentoo.org/856037
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-36.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 20:27:05 UTC
GLSA released, all done!