Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 491150 - <media-libs/libjpeg-turbo-1.3.0-r3: uninitialized memory read (CVE-2013-{6629,6630})
Summary: <media-libs/libjpeg-turbo-1.3.0-r3: uninitialized memory read (CVE-2013-{6629...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://googlechromereleases.blogspot....
Whiteboard: A3 [glsa]
Keywords:
: 500618 (view as bug list)
Depends on:
Blocks: 499364
  Show dependency tree
 
Reported: 2013-11-13 09:10 UTC by Agostino Sarubbo
Modified: 2016-06-05 20:06 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-11-13 09:10:18 UTC
FROM $URL:

[258723] Medium CVE-2013-6629: Read of uninitialized memory in libjpeg and libjpeg-turbo. Credit to Michal Zalewski of Google.
[299835] Medium CVE-2013-6630: Read of uninitialized memory in libjpeg-turbo. Credit to Michal Zalewski of Google.
Comment 1 Agostino Sarubbo gentoo-dev 2013-11-18 16:41:49 UTC
The commit from the chromium repo, not applied to upstream:

http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/libjpeg_turbo/jdmarker.c?r1=228381&r2=228380&pathrev=228381
Comment 2 Samuli Suominen gentoo-dev 2013-12-14 15:42:24 UTC
libjpeg-turbo-1.3.0-r3 has the upstream fix for this, http://sourceforge.net/p/libjpeg-turbo/code/1090/

however there's some work to be done before 1.3.0-r3 is ready for stable, and I've been lately much away, I'll have to check the current status before saying anything about stabilization, please hold on
Comment 3 Samuli Suominen gentoo-dev 2014-01-24 12:42:05 UTC
These should be OK to stabilize:

=virtual/jpeg-0-r2 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
=virtual/jpeg-62 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
=media-libs/libjpeg-turbo-1.3.0-r3 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 (has a patch for CVE-2013-6629 and 6630)
=media-libs/jpeg-8d-r1 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
(has a patch for CVE-2013-6629 only, see bug 491152)
=media-libs/jpeg-6b-r12 amd64 x86 (has a patch for CVE-2013-6629 only, see bug 491152)

Sorry if I listed some now only ~arch ones.
Comment 4 Agostino Sarubbo gentoo-dev 2014-01-25 18:30:30 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-01-25 18:30:49 UTC
amd64 stable
Comment 6 Jeroen Roovers gentoo-dev 2014-01-26 08:13:26 UTC
Stable for HPPA.
Comment 7 Andreas K. Hüttel gentoo-dev 2014-01-26 16:01:39 UTC
This needs a bump of app-office/libreoffice-bin.
Will add it here and re-add amd64/x86 once the files are read.
Comment 8 Akinori Hattori gentoo-dev 2014-01-27 14:32:15 UTC
ia64 stable
Comment 9 Andreas K. Hüttel gentoo-dev 2014-01-27 23:43:19 UTC
@ amd64, x86: 

Please test and fast-stabilize (needed since the soversion of the jpeg library changed):

app-office/libreoffice-bin-4.1.4.2
app-office/libreoffice-bin-debug-4.1.4.2
app-office/libreoffice-l10n-4.1.4.2
Comment 10 Pacho Ramos gentoo-dev 2014-01-28 20:49:19 UTC
I see this:
# required by =app-office/libreoffice-bin-debug-4.1.4.2 (argument)
# /usr/portage/profiles/package.mask:
# Andreas K. Huettel <dilfridge@gentoo.org> (19 Nov 2013)
# Something is wrong with the distfiles, maybe caused by mirrormaster
# overload. Please deinstall app-office/libreoffice-bin-debug for now;
# I'm considering abandoning the debug info because of its file size.
=app-office/libreoffice-bin-debug-4.1.4.2

is that normal? :/
Comment 11 Andreas K. Hüttel gentoo-dev 2014-01-28 20:57:08 UTC
(In reply to Pacho Ramos from comment #10)
> I see this:
> # required by =app-office/libreoffice-bin-debug-4.1.4.2 (argument)
> # /usr/portage/profiles/package.mask:
> # Andreas K. Huettel <dilfridge@gentoo.org> (19 Nov 2013)
> # Something is wrong with the distfiles, maybe caused by mirrormaster
> # overload. Please deinstall app-office/libreoffice-bin-debug for now;
> # I'm considering abandoning the debug info because of its file size.
> =app-office/libreoffice-bin-debug-4.1.4.2
> 
> is that normal? :/

Ouch. Sorry I thought that mask was long gone. I removed it from package.mask just now. (/me wonders why noone noticed so far...)
Comment 12 Pacho Ramos gentoo-dev 2014-01-28 22:05:16 UTC
I get:
!!! Fetched file: amd64-debug-libreoffice-4.1.3.2-r3.tar.xz VERIFY FAILED!
!!! Reason: Failed on WHIRLPOOL verification
!!! Got:      8bc4e005c76ef33507b54802d46e96248ad137328c52c0411b65bf1f2895c7ff3c23cf71b16bff6483988734d6958b31fec018eff8e91685630c312020691502
!!! Expected: 57d5e3233c53517b862f987851ee503b61414774426566f9d945dd42792520a062855d0319bc10dfe2a24fd5583c455142c1be4fff7c8369969b0f2578d7a62d
Refetching... File renamed to '/usr/distfiles/amd64-debug-libreoffice-4.1.3.2-r3.tar.xz._checksum_failure_.jK3yCV'

forever while running repoman full :(
Comment 13 Pacho Ramos gentoo-dev 2014-01-28 22:23:17 UTC
(In reply to Pacho Ramos from comment #12)
> I get:
> !!! Fetched file: amd64-debug-libreoffice-4.1.3.2-r3.tar.xz VERIFY FAILED!
> !!! Reason: Failed on WHIRLPOOL verification
> !!! Got:     
> 8bc4e005c76ef33507b54802d46e96248ad137328c52c0411b65bf1f2895c7ff3c23cf71b16bf
> f6483988734d6958b31fec018eff8e91685630c312020691502
> !!! Expected:
> 57d5e3233c53517b862f987851ee503b61414774426566f9d945dd42792520a062855d0319bc1
> 0dfe2a24fd5583c455142c1be4fff7c8369969b0f2578d7a62d
> Refetching... File renamed to
> '/usr/distfiles/amd64-debug-libreoffice-4.1.3.2-r3.tar.xz._checksum_failure_.
> jK3yCV'
> 
> forever while running repoman full :(

Once solved, feel free to stabilize on amd64 (the apps look to work ok)
Comment 14 Andreas K. Hüttel gentoo-dev 2014-01-28 22:47:06 UTC
(In reply to Pacho Ramos from comment #13)
> (In reply to Pacho Ramos from comment #12)
> > I get:
> > !!! Fetched file: amd64-debug-libreoffice-4.1.3.2-r3.tar.xz VERIFY FAILED!
> > !!! Reason: Failed on WHIRLPOOL verification
> > !!! Got:     
> > 
> > forever while running repoman full :(
> 
> Once solved, feel free to stabilize on amd64 (the apps look to work ok)

Sorry for the mess, the bad hashes from the last bump must have survived in my mini lo-bin overlay.

Fixed and marked amd64 stable.
Comment 15 Jérôme Borme 2014-01-29 08:54:48 UTC
Portage now complains for people using app-office/libreoffice (not -bin). It wants to update app-office/libreoffice-l10n-4.1.4.2, but cannot because current stable is app-office/libreoffice-4.1.3.2-r2. I guess you should consider stabilizing app-office/libreoffice-4.1.4.2 as well.
Comment 16 Andreas K. Hüttel gentoo-dev 2014-01-29 10:01:16 UTC
(In reply to Jérôme Borme from comment #15)
> Portage now complains for people using app-office/libreoffice (not -bin). It
> wants to update app-office/libreoffice-l10n-4.1.4.2, but cannot because
> current stable is app-office/libreoffice-4.1.3.2-r2. I guess you should
> consider stabilizing app-office/libreoffice-4.1.4.2 as well.

Not a bug. 

(Yes I would not complain about stabilizing app-office/libreoffice-4.1.4.2 as well, but it's (a) not required here, and (b) puts undue stress on the arch teams.)
Comment 17 Jérôme Borme 2014-01-30 09:05:40 UTC
OK fine. (So in order to improve the correctness of my future bug reports, could you explain/point me at some resource that tell me why it's not a bug? What I saw, is that a stable system suddenly started giving conflicting dependencies, forcing me to either 1) update to unstable app-office/libreoffice or 2) manually mask the stable app-office/libreoffice-l10n. Both options defeat the purpose of having a the stable tree where packages which depend from each other play nice together. I always thought this would be a bug worth of reporting.)
Comment 18 Markus Meier gentoo-dev 2014-01-30 23:13:39 UTC
arm stable
Comment 19 Jeroen Roovers gentoo-dev 2014-02-07 14:54:09 UTC
*** Bug 500618 has been marked as a duplicate of this bug. ***
Comment 20 Jeroen Roovers gentoo-dev 2014-02-07 14:55:45 UTC
(In reply to Andreas K. Hüttel from comment #16)
> (In reply to Jérôme Borme from comment #15)
> > Portage now complains for people using app-office/libreoffice (not -bin). It
> > wants to update app-office/libreoffice-l10n-4.1.4.2, but cannot because
> > current stable is app-office/libreoffice-4.1.3.2-r2. I guess you should
> > consider stabilizing app-office/libreoffice-4.1.4.2 as well.
> 
> Not a bug. 

Yes it is. It's what we call "breaking the tree".
Comment 21 Andreas K. Hüttel gentoo-dev 2014-02-07 15:17:43 UTC
(In reply to Jeroen Roovers from comment #20)
> (In reply to Andreas K. Hüttel from comment #16)
> > (In reply to Jérôme Borme from comment #15)
> > > Portage now complains for people using app-office/libreoffice (not -bin). It
> > > wants to update app-office/libreoffice-l10n-4.1.4.2, but cannot because
> > > current stable is app-office/libreoffice-4.1.3.2-r2. I guess you should
> > > consider stabilizing app-office/libreoffice-4.1.4.2 as well.
> > 
> > Not a bug. 
> 
> Yes it is. It's what we call "breaking the tree".

Not so sure about that, I consider that message informative and not a warning or error. Anyway, stabilization has been requested in bug 500622.
Comment 22 Agostino Sarubbo gentoo-dev 2014-02-16 07:34:57 UTC
alpha stable
Comment 23 Agostino Sarubbo gentoo-dev 2014-02-20 14:12:36 UTC
ppc64 stable
Comment 24 Agostino Sarubbo gentoo-dev 2014-02-20 14:13:17 UTC
ppc stable
Comment 25 Agostino Sarubbo gentoo-dev 2014-02-20 14:16:06 UTC
(In reply to Andreas K. Hüttel from comment #9)
> @ amd64, x86: 
> 
> Please test and fast-stabilize (needed since the soversion of the jpeg
> library changed):
> 
> app-office/libreoffice-bin-4.1.4.2
> app-office/libreoffice-bin-debug-4.1.4.2
> app-office/libreoffice-l10n-4.1.4.2

Please open another bug for that, this is not the right place.
Comment 26 Agostino Sarubbo gentoo-dev 2014-02-20 14:16:53 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 27 Andreas K. Hüttel gentoo-dev 2014-02-20 14:23:14 UTC
(In reply to Agostino Sarubbo from comment #25)
> (In reply to Andreas K. Hüttel from comment #9)
> > @ amd64, x86: 
> > 
> > Please test and fast-stabilize (needed since the soversion of the jpeg
> > library changed):
> > 
> > app-office/libreoffice-bin-4.1.4.2
> > app-office/libreoffice-bin-debug-4.1.4.2
> > app-office/libreoffice-l10n-4.1.4.2
> 
> Please open another bug for that, this is not the right place.

x86 can't cleanup since current stable libreoffice-bin hard-depends on the vulnerable version. So this *is* the right place.
Comment 28 Agostino Sarubbo gentoo-dev 2014-02-22 07:45:44 UTC
(In reply to Andreas K. Hüttel from comment #27)
> x86 can't cleanup since current stable libreoffice-bin hard-depends on the
> vulnerable version. So this *is* the right place.

In the future please open another bug and make the block.
Comment 29 Agostino Sarubbo gentoo-dev 2014-02-22 08:11:52 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 30 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-19 02:00:26 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 31 Yury German Gentoo Infrastructure gentoo-dev Security 2016-06-05 20:06:47 UTC
This issue was resolved and addressed in
 GLSA 201606-03 at https://security.gentoo.org/glsa/201606-03
by GLSA coordinator Yury German (BlueKnight)