CVE-2023-27781: jpegoptim v1.5.2 was discovered to contain a heap overflow in the optimize function at jpegoptim.c. Needs bump to 1.5.3.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8aecf4440fa038d73d5180e0ac91aabe3b86d30 commit e8aecf4440fa038d73d5180e0ac91aabe3b86d30 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-04-29 20:24:59 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-04-29 20:30:23 +0000 media-gfx/jpegoptim: add 1.5.3 Bug: https://bugs.gentoo.org/905324 Signed-off-by: John Helmert III <ajak@gentoo.org> media-gfx/jpegoptim/Manifest | 1 + media-gfx/jpegoptim/jpegoptim-1.5.3.ebuild | 15 +++++++++++++++ 2 files changed, 16 insertions(+)
Hadn't noticed this was m-n, I minimally use it on my server with jpg thumbnails so I may as well take maintenance from here (will give it a bit of review and stable it in a few days). Thanks for the sec bump.
(In reply to John Helmert III from comment #0) > CVE-2023-27781: > > jpegoptim v1.5.2 was discovered to contain a heap overflow in the optimize > function at jpegoptim.c. > > Needs bump to 1.5.3. This comment is valid also for other similar bugs. I don't know who is assigning the CVEs in the last time, but at the time I was active in fuzzing research I learned that READ overflow in command line tool were considered an inconvenience https://www.openwall.com/lists/oss-security/2016/09/09/11
(In reply to Agostino Sarubbo from comment #3) > (In reply to John Helmert III from comment #0) > > CVE-2023-27781: > > > > jpegoptim v1.5.2 was discovered to contain a heap overflow in the optimize > > function at jpegoptim.c. > > > > Needs bump to 1.5.3. > > This comment is valid also for other similar bugs. I don't know who is > assigning the CVEs in the last time, but at the time I was active in fuzzing > research I learned that READ overflow in command line tool were considered > an inconvenience > > https://www.openwall.com/lists/oss-security/2016/09/09/11 Of course, it all depends on impact. An OOB read that results in a graceful exit is different than an OOB read that triggers a segfault is different than an OOB read into a function pointer with an easily groomable heap which gives you control flow. It seems like they were just telling you that they thought issues were definitely not the latter? It's interesting that MITRE said that to you but now issues CVEs for anything. Regardless, it's reasonable for us (downstream) to track CVEs generally without being opinionated about whether we track various CVEs.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3dd00c7dffba270a8b78ce3ac8d46fa96dc5478b commit 3dd00c7dffba270a8b78ce3ac8d46fa96dc5478b Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2023-05-06 11:01:00 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2023-05-06 11:16:47 +0000 media-gfx/jpegoptim: drop vulnerable 1.4.6 Bug: https://bugs.gentoo.org/905324 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> media-gfx/jpegoptim/Manifest | 1 - media-gfx/jpegoptim/jpegoptim-1.4.6.ebuild | 15 --------------- 2 files changed, 16 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=944464257eec140861e1dd5c44b197ad9a7261f0 commit 944464257eec140861e1dd5c44b197ad9a7261f0 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2023-05-06 11:00:48 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2023-05-06 11:16:46 +0000 media-gfx/jpegoptim: stabilize 1.5.3-r1 for amd64, x86 Bug: https://bugs.gentoo.org/905324 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> media-gfx/jpegoptim/jpegoptim-1.5.3-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Thanks! Only a DoS via overread, no GLSA.
