From a246bd77d296da72b776e7c4141d50ca01db07a7 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 22 Apr 2025 23:28:20 +0200 Subject: [PATCH] fix CVE-2020-13790: heap-based buffer over-read in get_rgb_row (RHEL-87364) Resolves: RHEL-87364 --- libjpeg-turbo-CVE-2020-13790.patch | 29 +++++++++++++++++++++++++++++ libjpeg-turbo.spec | 27 +++++++++++++++++---------- 2 files changed, 46 insertions(+), 10 deletions(-) create mode 100644 libjpeg-turbo-CVE-2020-13790.patch diff --git a/libjpeg-turbo-CVE-2020-13790.patch b/libjpeg-turbo-CVE-2020-13790.patch new file mode 100644 index 0000000..05f16ba --- /dev/null +++ b/libjpeg-turbo-CVE-2020-13790.patch @@ -0,0 +1,29 @@ +From 3de15e0c344d11d4b90f4a47136467053eb2d09a Mon Sep 17 00:00:00 2001 +From: DRC +Date: Tue, 2 Jun 2020 14:15:37 -0500 +Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM + +This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to +include binary PPM files with maximum values < 255, thus preventing a +malformed binary PPM input file with those specifications from +triggering an overrun of the rescale array and potentially crashing +cjpeg, TJBench, or any program that uses the tjLoadImage() function. + +Fixes #433 +--- + rdppm.c | 4 ++-- + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/rdppm.c b/rdppm.c +index 87bc33090..a8507b902 100644 +--- a/rdppm.c ++++ b/rdppm.c +@ -425,7 +425,7 @@ start_input_ppm (j_compress_ptr cinfo, c + /* On 16-bit-int machines we have to be careful of maxval = 65535 */ + source->rescale = (JSAMPLE *) + (*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE, +- (size_t) (((long) maxval + 1L) * ++ (size_t)(((long)MAX(maxval, 255) + 1L) * + sizeof(JSAMPLE))); + half_maxval = maxval / 2; + for (val = 0; val <= (long) maxval; val++) { diff --git a/libjpeg-turbo.spec b/libjpeg-turbo.spec index 09283d8..67d30b4 100644 --- a/libjpeg-turbo.spec +++ b/libjpeg-turbo.spec @@ -1,6 +1,6 @@ Name: libjpeg-turbo Version: 1.5.3 -Release: 12%{?dist} +Release: 13%{?dist} Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files License: IJG URL: http://sourceforge.net/projects/libjpeg-turbo @@ -15,6 +15,9 @@ Patch5: libjpeg-turbo-coverity.patch Patch6: libjpeg-turbo-CET.patch Patch7: libjpeg-turbo-CVE-2018-14498.patch Patch8: libjpeg-turbo-CVE-2020-17541.patch +# from upstream, for < 2.0.5, RHEL-87364 +# https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a +Patch9: libjpeg-turbo-CVE-2020-13790.patch BuildRequires: autoconf BuildRequires: automake @@ -76,15 +79,16 @@ manipulate JPEG files using the TurboJPEG library. %prep %setup -q -%patch0 -p1 -b .noinst -%patch1 -p1 -b .header-files -%patch2 -p1 -b .CVE-2018-11813 -%patch3 -p1 -b .CVE-2018-1152 -%patch4 -p1 -b .honor-naflags -%patch5 -p1 -b .coverity -%patch6 -p1 -b .CET -%patch7 -p1 -b .CVE-2018-14498 -%patch8 -p1 -b .CVE-2020-17541 +%patch -P 0 -p1 -b .noinst +%patch -P 1 -p1 -b .header-files +%patch -P 2 -p1 -b .CVE-2018-11813 +%patch -P 3 -p1 -b .CVE-2018-1152 +%patch -P 4 -p1 -b .honor-naflags +%patch -P 5 -p1 -b .coverity +%patch -P 6 -p1 -b .CET +%patch -P 7 -p1 -b .CVE-2018-14498 +%patch -P 8 -p1 -b .CVE-2020-17541 +%patch -P 9 -p1 -b .CVE-2020-13790 %build autoreconf -vif @@ -188,6 +192,9 @@ make test %{?_smp_mflags} %{_libdir}/pkgconfig/libturbojpeg.pc %changelog +* Tue Apr 22 2025 Michal Hlavinka - 1.5.3-13 +- fix CVE-2020-13790: heap-based buffer over-read in get_rgb_row (RHEL-87364) + * Thu Jul 15 2021 Nikola Forró - 1.5.3-12 - Add missing license file (#1982572)