Description: "libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file." https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a https://github.com/libjpeg-turbo/libjpeg-turbo/issues/433
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8110962edc520001b3d2059be69702a1ceccee9b commit 8110962edc520001b3d2059be69702a1ceccee9b Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-06-11 00:37:52 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2020-06-13 16:30:39 +0000 media-libs/libjpeg-turbo: Patch CVE-2020-13790 Bug: https://bugs.gentoo.org/727010 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Mike Gilbert <floppym@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/16184 .../files/libjpeg-turbo-1.5.3-CVE-2020-13790.patch | 43 ++++++++ .../files/libjpeg-turbo-2.0.4-CVE-2020-13790.patch | 34 ++++++ .../libjpeg-turbo/libjpeg-turbo-1.5.3-r3.ebuild | 122 +++++++++++++++++++++ .../libjpeg-turbo/libjpeg-turbo-2.0.4-r1.ebuild | 108 ++++++++++++++++++ 4 files changed, 307 insertions(+)
ppc64 stable
amd64 stable
arm stable
sparc stable
arm64 stable
hppa stable
x86 stable
@ppc: ping
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3b6a9195cdcad8e233e5f570114c8ff18f68327 commit c3b6a9195cdcad8e233e5f570114c8ff18f68327 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-08-08 04:42:00 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-08-08 04:42:08 +0000 media-libs/libjpeg-turbo: fix tests on ppc Fix tests on PPC by applying upstream-recommended workaround (-DFLOATTEST=64bit). See https://github.com/libjpeg-turbo/libjpeg-turbo/issues/428 for details. Bug: https://bugs.gentoo.org/727010 Closes: https://bugs.gentoo.org/715406 Thanks-to: ernsteiswuerfel <erhard_f@mailbox.org> Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> media-libs/libjpeg-turbo/libjpeg-turbo-2.0.4-r1.ebuild | 9 +++++++++ media-libs/libjpeg-turbo/libjpeg-turbo-2.0.5.ebuild | 9 +++++++++ 2 files changed, 18 insertions(+)
Looking good on ppc. # cat libjpeg-turbo-727010.report USE tests started on Mo 10. Aug 22:05:15 CEST 2020 FEATURES=' test' USE='' succeeded for =media-libs/libjpeg-turbo-1.5.3-r3 USE='-static-libs' succeeded for =media-libs/libjpeg-turbo-1.5.3-r3 USE='static-libs' succeeded for =media-libs/libjpeg-turbo-1.5.3-r3 FEATURES=' test' USE='' succeeded for =media-libs/libjpeg-turbo-2.0.4-r1 USE='-static-libs' succeeded for =media-libs/libjpeg-turbo-2.0.4-r1 USE='static-libs' succeeded for =media-libs/libjpeg-turbo-2.0.4-r1 rdeps pulled in from tatt for testing are seamonkey, thunderbird which both are not keyworded on ppc (ppc64 only).
ppc stable thanks to ernsteiswuerfel!
Need cleanup and GLSA.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3090e82542e7c97c9555f9968bc02664d99774a0 commit 3090e82542e7c97c9555f9968bc02664d99774a0 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-10-04 17:38:42 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-10-04 17:39:15 +0000 media-libs/libjpeg-turbo: security cleanup Bug: https://bugs.gentoo.org/727010 Bug: https://bugs.gentoo.org/727910 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Sam James <sam@gentoo.org> media-libs/libjpeg-turbo/Manifest | 1 - .../libjpeg-turbo/libjpeg-turbo-2.0.3.ebuild | 100 --------------------- 2 files changed, 101 deletions(-)
Unable to check for sanity: > no match for package: =media-libs/libjpeg-turbo-2.0.4-r1
Unable to check for sanity: > no match for package: =media-libs/libjpeg-turbo-1.5.3-r3
Done in https://security.gentoo.org/glsa/202010-03.