Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 856037 (CVE-2022-34000) - media-libs/libjxl: assertion failure (with further impact?)
Summary: media-libs/libjxl: assertion failure (with further impact?)
Status: CONFIRMED
Alias: CVE-2022-34000
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/libjxl/libjxl/issu...
Whiteboard: B? [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-07-03 02:03 UTC by John Helmert III
Modified: 2022-08-18 01:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-03 02:03:53 UTC
CVE-2022-34000:

libjxl 0.6.1 has an assertion failure in LowMemoryRenderPipeline::Init() in render_pipeline/low_memory_render_pipeline.cc.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-18 01:04:13 UTC
Looks like this is the patch:

https://github.com/libjxl/libjxl/commit/aff17c4a57eb1e4d7ef00ea728d33cdb5b2ca9da

So I guess we need another prerelease snapshot. The reporter's crash log has this, which *seemingly* indicates bad instructions were being run somehow, though I don't understand how that's possible via an assertion:

[1]    888096 illegal hardware instruction  ./decode_oneshot /tmp/poc /dev/null /dev/null

Maintainer, please bump.