Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 727010 (CVE-2020-13790) - <media-libs/libjpeg-turbo-{1.5.3-r3,2.0.4-r1}: Buffer overflow in get_rgb_row() via malformed PPM file (CVE-2020-13790)
Summary: <media-libs/libjpeg-turbo-{1.5.3-r3,2.0.4-r1}: Buffer overflow in get_rgb_row...
Status: IN_PROGRESS
Alias: CVE-2020-13790
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/libjpeg-turbo/libj...
Whiteboard: A3 [glsa cleanup cve]
Keywords: CC-ARCHES
Depends on:
Blocks: 727910
  Show dependency tree
 
Reported: 2020-06-03 20:20 UTC by Sam James
Modified: 2020-09-20 16:18 UTC (History)
2 users (show)

See Also:
Package list:
=media-libs/libjpeg-turbo-1.5.3-r3 =media-libs/libjpeg-turbo-2.0.4-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-06-03 20:20:50 UTC
Description:
"libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file."

https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a

https://github.com/libjpeg-turbo/libjpeg-turbo/issues/433
Comment 1 Larry the Git Cow gentoo-dev 2020-06-13 16:30:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8110962edc520001b3d2059be69702a1ceccee9b

commit 8110962edc520001b3d2059be69702a1ceccee9b
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-06-11 00:37:52 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-06-13 16:30:39 +0000

    media-libs/libjpeg-turbo: Patch CVE-2020-13790
    
    Bug: https://bugs.gentoo.org/727010
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/16184

 .../files/libjpeg-turbo-1.5.3-CVE-2020-13790.patch |  43 ++++++++
 .../files/libjpeg-turbo-2.0.4-CVE-2020-13790.patch |  34 ++++++
 .../libjpeg-turbo/libjpeg-turbo-1.5.3-r3.ebuild    | 122 +++++++++++++++++++++
 .../libjpeg-turbo/libjpeg-turbo-2.0.4-r1.ebuild    | 108 ++++++++++++++++++
 4 files changed, 307 insertions(+)
Comment 2 Sergei Trofimovich gentoo-dev 2020-06-14 20:30:15 UTC
ppc64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-06-15 15:01:46 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-06-15 15:04:59 UTC
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-15 15:13:08 UTC
sparc stable
Comment 6 Sam James gentoo-dev Security 2020-06-17 14:23:30 UTC
arm64 stable
Comment 7 Rolf Eike Beer 2020-06-18 06:55:13 UTC
hppa stable
Comment 8 Thomas Deutschmann gentoo-dev Security 2020-06-20 13:50:32 UTC
x86 stable
Comment 9 Sam James gentoo-dev Security 2020-07-17 00:02:52 UTC
@ppc: ping
Comment 10 Larry the Git Cow gentoo-dev 2020-08-08 04:42:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3b6a9195cdcad8e233e5f570114c8ff18f68327

commit c3b6a9195cdcad8e233e5f570114c8ff18f68327
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-08 04:42:00 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-08 04:42:08 +0000

    media-libs/libjpeg-turbo: fix tests on ppc
    
    Fix tests on PPC by applying upstream-recommended
    workaround (-DFLOATTEST=64bit).
    
    See https://github.com/libjpeg-turbo/libjpeg-turbo/issues/428
    for details.
    
    Bug: https://bugs.gentoo.org/727010
    Closes: https://bugs.gentoo.org/715406
    Thanks-to: ernsteiswuerfel <erhard_f@mailbox.org>
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libjpeg-turbo/libjpeg-turbo-2.0.4-r1.ebuild | 9 +++++++++
 media-libs/libjpeg-turbo/libjpeg-turbo-2.0.5.ebuild    | 9 +++++++++
 2 files changed, 18 insertions(+)
Comment 11 ernsteiswuerfel 2020-08-10 20:28:03 UTC
Looking good on ppc.

 # cat libjpeg-turbo-727010.report 
USE tests started on Mo 10. Aug 22:05:15 CEST 2020

FEATURES=' test' USE='' succeeded for =media-libs/libjpeg-turbo-1.5.3-r3
USE='-static-libs' succeeded for =media-libs/libjpeg-turbo-1.5.3-r3
USE='static-libs' succeeded for =media-libs/libjpeg-turbo-1.5.3-r3

FEATURES=' test' USE='' succeeded for =media-libs/libjpeg-turbo-2.0.4-r1
USE='-static-libs' succeeded for =media-libs/libjpeg-turbo-2.0.4-r1
USE='static-libs' succeeded for =media-libs/libjpeg-turbo-2.0.4-r1


rdeps pulled in from tatt for testing are seamonkey, thunderbird which both are not keyworded on ppc (ppc64 only).
Comment 12 Sergei Trofimovich gentoo-dev 2020-08-11 07:24:04 UTC
ppc stable thanks to ernsteiswuerfel!
Comment 13 John Helmert III (ajak) 2020-09-20 16:18:05 UTC
Need cleanup and GLSA.