[arch-security] [Arch Linux Security Advisory ASA-201411-33] libjpeg-turbo: denial of service

Remi Gacogne rgacogne at archlinux.org
Fri Nov 28 09:02:55 UTC 2014 

Arch Linux Security Advisory ASA-201411-33
==========================================

Severity: Medium
Date    : 2014-11-28
CVE-ID  : CVE-2014-9092
Package : libjpeg-turbo
Type    : denial of service
Remote  : No
Link    : https://wiki.archlinux.org/index.php/CVE-2014

Summary
=======

The package libjpeg-turbo before version 1.3.1-3 is vulnerable to denial
of service.

Resolution
==========

Upgrade to 1.3.1-3.

# pacman -Syu "libjpeg-turbo>=1.3.1-3"

The problem has been fixed upstream but a new version has not been
released yet.

Workaround
==========

None.

Description
===========

Special crafted jpeg files lead to  stack smashing and lead to at least
a dos (maybe remote due to imagick).

The Huffman encoder's local buffer can be overrun when a buffered
destination manager is being used and an extremely-high-frequency block
(basically junk image data) is being encoded.
Even though the Huffman local buffer was increased from 128 bytes to 136
bytes to address the previous issue, the new issue caused even the
larger buffer to be overrun. Further analysis reveals that, in the
absolute worst case (such as setting alternating AC coefficients to
32767 and -32768 in the JPEG scanning order), the Huffman encoder can
produce encoded blocks that approach double the size of the unencoded
blocks. Thus, the Huffman local buffer was increased to 256 bytes, which
should prevent any such issue from re-occurring in the future.

Impact
======

An attacker can cause a denial of service or other unspecified impact by
supplying a specially crafted JPEG file.

References
==========

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9092
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768369
http://sourceforge.net/p/libjpeg-turbo/code/1427/
https://bugs.archlinux.org/task/42922

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141128/ef999ea4/attachment.bin>

More information about the arch-security mailing list