Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 908520 (CVE-2023-35790)

Summary: <media-libs/libjxl-0.8.2: integer underflow leading to infinite loop
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: ajak, dnovomesky, mgorny, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/libjxl/libjxl/releases/tag/v0.8.2
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 922501    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-15 05:49:10 UTC 
"### Changed
 - Security: Fix an integer underflow bug in patch decoding. (#2551)"

Please bump to 0.8.2.
Comment 1 Daniel Novomeský 2023-06-15 19:10:12 UTC 
It's an infinite loop bug,
we will upgrade libjxl.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-19 02:45:44 UTC 
This is CVE-2023-35790:

An issue was discovered in dec_patch_dictionary.cc in libjxl before 0.8.2. An integer underflow in patch decoding can lead to a denial of service, such as an infinite loop.
Comment 3 Daniel Novomeský 2024-01-07 19:51:27 UTC 
I believe that libjxl-0.8.2-r1 should be made stable and older versions removed afterwards.
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-03-20 16:49:30 UTC 
cleanup done.