Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 130889 - media-libs/jpeg: maxmem feature not used (DoS via memory exhaustion)
Summary: media-libs/jpeg: maxmem feature not used (DoS via memory exhaustion)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3? [glsa]
Keywords:
: 135644 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-04-22 14:22 UTC by Tavis Ormandy (RETIRED)
Modified: 2006-11-11 20:07 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
example image (max_memory_to_use.jpg,738 bytes, image/jpeg)
2006-04-22 14:24 UTC, Tavis Ormandy (RETIRED)
no flags Details
jpeg-sysconf-maxmem.diff (jpeg-sysconf-maxmem.diff,662 bytes, patch)
2006-04-23 01:26 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff
sysconf maxmem patch (jpeg-sysconf-maxmem.diff,678 bytes, patch)
2006-04-23 02:56 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff
Updated patch supporting FreeBSD and DragonFly and with fallback. (60_all_jpeg-maxmem-sysconf.patch,1.28 KB, patch)
2006-05-28 17:50 UTC, Diego Elio Pettenò (RETIRED)
no flags Details | Diff
Updated patch supporting *BSD and Darwin and with fallback. (60_all_jpeg-maxmem-sysconf.patch,1.36 KB, patch)
2006-05-31 12:01 UTC, Diego Elio Pettenò (RETIRED)
no flags Details | Diff
Re-Updated patch supporting *BSD and Darwin and with fallback. (patch,1.38 KB, patch)
2006-05-31 12:39 UTC, Fabian Groffen
no flags Details | Diff
latest darwin/bsd/linux maxmem patch from SVN by Flameeyes (60_all_jpeg-maxmem-sysconf.patch,1.37 KB, patch)
2006-05-31 12:53 UTC, Fabian Groffen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2006-04-22 14:22:24 UTC
we're distribute the jpeg library without a feature it calls `maxmem`, which is used to restrict images from allocating ridiculous amounts of memory and allowing developers to specify a reasonable limit for allocation.

The documentation all assumes this feature is enabled, and documents settings suc as the JPEGMEM environment variable, max_mem_to_use jpeg option, the -maxmemory argument to djpeg and so on. A user might reasonably expect these setttings to prevent a malicious image from disrupting any image processing routines that accept images from users, however they do nothing, potentially resulting in a dos via memory exhaustion.

Suggest adding --enable-maxmem option to configure, which will solve this problem.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2006-04-22 14:24:10 UTC
Created attachment 85214 [details]
example image
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2006-04-22 14:36:19 UTC
graphics herd: please provide an updated ebuild, or comment if appropriate.
Comment 3 SpanKY gentoo-dev 2006-04-22 21:08:48 UTC
what exactly would you say a reasonable limit is ?
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2006-04-23 01:05:11 UTC
How about we replace jpeg_mem_init() in jmemansi.c with a routine that that uses sysconf() with _SC_PHYS_PAGES? 

example:

GLOBAL(long)
jpeg_mem_init (j_common_ptr cinfo)
{
    long phys_size;

    if ((phys_size = sysconf(_SC_PHYS_PAGES)) == -1)
        return DEFAULT_MAX_MEM; /* defined by libjpeg via --enable-maxmem=xx */
    if ((phys_size *= sysconf(_SC_PAGESIZE)) < 0)
        return DEFAULT_MAX_MEM;
    return phys_size;
}

and set DEFAULT_MAX_MEM to 64M or similar as a fallback? This would be a reasonable default, but allow JPEGMEM and max_memory_to_use to be honoured by users who want to prevent memory exhaustion.
Comment 5 Tavis Ormandy (RETIRED) gentoo-dev 2006-04-23 01:26:23 UTC
Created attachment 85252 [details, diff]
jpeg-sysconf-maxmem.diff

suggested patch, tested with --enable-maxmem=64 (only used as a fallback)
Comment 6 Tavis Ormandy (RETIRED) gentoo-dev 2006-04-23 02:56:53 UTC
Created attachment 85260 [details, diff]
sysconf maxmem patch

the comments in jmemansi.c say "If you can actually get the available space, it's a good idea to subtract a slop factor of 5% or so.", so this patch does that.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2006-05-14 10:14:42 UTC
Misplaced
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2006-05-18 10:08:21 UTC
graphics team please patch
Comment 9 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-05-28 17:49:17 UTC
I had to drop ~x86-fbsd keyword from -r7 because the calls are very linux specific, I do have a portable patch, if that can be used instead of the current would be perfect.
Comment 10 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-05-28 17:50:07 UTC
Created attachment 87770 [details, diff]
Updated patch supporting FreeBSD and DragonFly and with fallback.
Comment 11 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-31 10:28:13 UTC
arches please test and mark 6b-r7 stable, thanks
Comment 12 Thomas Cort (RETIRED) gentoo-dev 2006-05-31 10:37:03 UTC
alpha stable.
Comment 13 Fabian Groffen gentoo-dev 2006-05-31 11:10:57 UTC
Darwin has a problem similar to BSD.  However, Diego's patch won't work for us.  I need something like this:

#if HAVE_SYSCTL && defined HW_PHYSMEM
  { /* This works on *bsd and darwin.  */
    unsigned int physmem;
    size_t len = sizeof physmem;
    static int mib[2] = { CTL_HW, HW_PHYSMEM };

    if (sysctl (mib, ARRAY_SIZE (mib), &physmem, &len, NULL, 0) == 0
	&& len == sizeof (physmem))
      return (double) physmem;
  }
#endif

Diego, is your patch yet in (doesn't look like so), and can above code be combined with yours?  I grabbed above thing from http://www.opensource.apple.com/darwinsource/WWDC2004/gccfast-1614/libiberty/physmem.c

I cannot mark this package stable on ppc-macos because the package doesn't compile.
Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev 2006-05-31 11:51:56 UTC
sparc stable.
Comment 15 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-05-31 12:01:55 UTC
Created attachment 88017 [details, diff]
Updated patch supporting *BSD and Darwin and with fallback.

Here it is, thanks Fabian :)
Comment 16 Fabian Groffen gentoo-dev 2006-05-31 12:39:59 UTC
Created attachment 88028 [details, diff]
Re-Updated patch supporting *BSD and Darwin and with fallback.

this patch fixes the return type to be long, and to return 0 in case the condition does not hold.
Comment 17 Markus Rothe (RETIRED) gentoo-dev 2006-05-31 12:42:46 UTC
stable on ppc64
Comment 18 Fabian Groffen gentoo-dev 2006-05-31 12:46:13 UTC
Comment on attachment 88028 [details, diff]
Re-Updated patch supporting *BSD and Darwin and with fallback.

this patch is wrong.  Don't use it.  Sorry for the spam.
Comment 19 Fabian Groffen gentoo-dev 2006-05-31 12:53:35 UTC
Created attachment 88029 [details, diff]
latest darwin/bsd/linux maxmem patch from SVN by Flameeyes

Attached is the proper fix for BSD/Darwin and GNU/Linux.  This patch should be put in the patch file after which I can mark ppc-macos stable.

Taviso or who is responsible: could you add + patchrevbump this patch to the current ebuild?  Thanks.
Comment 20 Thomas Cort (RETIRED) gentoo-dev 2006-05-31 16:49:52 UTC
amd64 stable.
Comment 21 Sander Knopper 2006-06-01 06:13:10 UTC
on x86:

compiles fine. Further I ran several transformations on an image which also went fine and gave the expected result. I also tested the functionality of the library itself by using KDE and Gimp which worked fine as well.
Comment 22 Tobias Scherbaum (RETIRED) gentoo-dev 2006-06-01 11:14:19 UTC
ppc stable
Comment 23 Mark Loeser (RETIRED) gentoo-dev 2006-06-01 20:56:38 UTC
x86 done, thanks for testing Sander
Comment 24 René Nussbaumer (RETIRED) gentoo-dev 2006-06-03 02:24:35 UTC
Stable on hppa
Comment 25 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-06-05 09:35:20 UTC
*** Bug 135644 has been marked as a duplicate of this bug. ***
Comment 26 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-10 00:33:45 UTC
Calling a GLSA vote on this one:

<taviso> re jpeg, i dont think glsa is nescessary, it's very lame...just a client dos

Does any important applications use this?
Comment 27 Thomas Cort (RETIRED) gentoo-dev 2006-06-10 05:29:46 UTC
(In reply to comment #26)
> Does any important applications use this?

Many applications do. Here is a list of some popular apps that use it: emacs, wine, abiword, ghostscript-*, php, blender, gimp, gphoto2, cups, mozilla{-firefox}, qt, opera, and others.

Complete List: http://gentoo-portage.com/media-libs/jpeg/RDep#ptabs
Comment 28 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-10 05:42:41 UTC
Ok lets have the GLSA.
Comment 29 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-10 23:36:06 UTC
yes, as for me a GLSA is needed, since this issue allows me to crash nearly every computer of my friends :), whatever they use (konq, firefox, safari, IE...).  Some other linux distributions, and MacOS, windows... are affected too.
Comment 30 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-11 13:29:47 UTC
GLSA 200606-11

arm, bsd, ia64, mips, ppc-macos, s390, sh don't forget to mark stable to benifit from the GLSA.
Comment 31 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-06-11 14:11:24 UTC
Did _anybody_ take into consideration my and Grobian's messages?

Both Gentoo/*BSD and Gentoo for Mac OSX are cut off by that patch unless someone apply our version, that's a no-op for anyone else.

If nobody from the interested parts is going to make that change in 24h, I suppose either me or Grobian will do that, but consider that anybody wanting to scream at us afterward will have had enough time to validate and comment.
Comment 32 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-11 21:29:05 UTC
Sorry Diego I thought that it had already been applied. Taviso who applied the initial patch has been mostly away for some weeks due to a job change. (no screaming from here)
Comment 33 Fabian Groffen gentoo-dev 2006-06-12 00:52:17 UTC
Diego, as I'll not be able to do this and mark ppc-macos today/tonight (no access to my machine), can you do this if you have time?  Please also set the proper ppc-macos keyword if you do, I already tested with your patch.  Thanks.
Comment 34 Fabian Groffen gentoo-dev 2006-06-16 12:04:08 UTC
I updated the patchset to include Darwin/BSD fixes.  Marked ppc-macos stable.  Flameeyes can you manage the overlay (to which I committed the last cleaned up and working version of the patch) in the way you like?  (e.g. removing or whatever, the patch is now in the main tree)
Comment 35 Joshua Kinard gentoo-dev 2006-09-03 21:01:11 UTC
6b-r7 stable on mips.