Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 905324 (CVE-2023-27781)

Summary: <media-gfx/jpegoptim-1.5.3: heap buffer overflow
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ionen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/tjko/jpegoptim/issues/132
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-29 19:40:11 UTC 
CVE-2023-27781:

jpegoptim v1.5.2 was discovered to contain a heap overflow in the optimize function at jpegoptim.c.

Needs bump to 1.5.3.
Comment 1 Larry the Git Cow gentoo-dev 2023-04-29 20:30:31 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8aecf4440fa038d73d5180e0ac91aabe3b86d30

commit e8aecf4440fa038d73d5180e0ac91aabe3b86d30
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-04-29 20:24:59 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-04-29 20:30:23 +0000

    media-gfx/jpegoptim: add 1.5.3
    
    Bug: https://bugs.gentoo.org/905324
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 media-gfx/jpegoptim/Manifest               |  1 +
 media-gfx/jpegoptim/jpegoptim-1.5.3.ebuild | 15 +++++++++++++++
 2 files changed, 16 insertions(+)
Comment 2 Ionen Wolkens gentoo-dev 2023-04-30 07:44:30 UTC 
Hadn't noticed this was m-n, I minimally use it on my server with jpg thumbnails so I may as well take maintenance from here (will give it a bit of review and stable it in a few days).

Thanks for the sec bump.
Comment 3 Agostino Sarubbo gentoo-dev 2023-04-30 07:45:17 UTC 
(In reply to John Helmert III from comment #0)
> CVE-2023-27781:
> 
> jpegoptim v1.5.2 was discovered to contain a heap overflow in the optimize
> function at jpegoptim.c.
> 
> Needs bump to 1.5.3.

This comment is valid also for other similar bugs. I don't know who is assigning the CVEs in the last time, but at the time I was active in fuzzing research I learned that READ overflow in command line tool were considered an inconvenience

https://www.openwall.com/lists/oss-security/2016/09/09/11
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-01 04:31:01 UTC 
(In reply to Agostino Sarubbo from comment #3)
> (In reply to John Helmert III from comment #0)
> > CVE-2023-27781:
> > 
> > jpegoptim v1.5.2 was discovered to contain a heap overflow in the optimize
> > function at jpegoptim.c.
> > 
> > Needs bump to 1.5.3.
> 
> This comment is valid also for other similar bugs. I don't know who is
> assigning the CVEs in the last time, but at the time I was active in fuzzing
> research I learned that READ overflow in command line tool were considered
> an inconvenience
> 
> https://www.openwall.com/lists/oss-security/2016/09/09/11

Of course, it all depends on impact. An OOB read that results in a graceful exit is different than an OOB read that triggers a segfault is different than an OOB read into a function pointer with an easily groomable heap which gives you control flow. It seems like they were just telling you that they thought issues were definitely not the latter?

It's interesting that MITRE said that to you but now issues CVEs for anything. Regardless, it's reasonable for us (downstream) to track CVEs generally without being opinionated about whether we track various CVEs.
Comment 5 Larry the Git Cow gentoo-dev 2023-05-06 11:17:24 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3dd00c7dffba270a8b78ce3ac8d46fa96dc5478b

commit 3dd00c7dffba270a8b78ce3ac8d46fa96dc5478b
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2023-05-06 11:01:00 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2023-05-06 11:16:47 +0000

    media-gfx/jpegoptim: drop vulnerable 1.4.6
    
    Bug: https://bugs.gentoo.org/905324
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 media-gfx/jpegoptim/Manifest               |  1 -
 media-gfx/jpegoptim/jpegoptim-1.4.6.ebuild | 15 ---------------
 2 files changed, 16 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=944464257eec140861e1dd5c44b197ad9a7261f0

commit 944464257eec140861e1dd5c44b197ad9a7261f0
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2023-05-06 11:00:48 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2023-05-06 11:16:46 +0000

    media-gfx/jpegoptim: stabilize 1.5.3-r1 for amd64, x86
    
    Bug: https://bugs.gentoo.org/905324
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 media-gfx/jpegoptim/jpegoptim-1.5.3-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-23 04:31:05 UTC 
Thanks! Only a DoS via overread, no GLSA.