From a2d36ac1a0efa02ab260c3a09bbdf0b2406f71c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikola=20Forr=C3=B3?= Date: Fri, 15 Jun 2018 13:04:16 +0200 Subject: [PATCH] Fix CVE-2018-11813 (#1588804) --- libjpeg-turbo-CVE-2018-11813.patch | 59 ++++++++++++++++++++++++++++++ libjpeg-turbo.spec | 7 +++- 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 libjpeg-turbo-CVE-2018-11813.patch diff --git a/libjpeg-turbo-CVE-2018-11813.patch b/libjpeg-turbo-CVE-2018-11813.patch new file mode 100644 index 0000000..a614d19 --- /dev/null +++ b/libjpeg-turbo-CVE-2018-11813.patch @@ -0,0 +1,59 @@ +From fccf53aed0093a626fca15f0d25f46fb6ed3e770 Mon Sep 17 00:00:00 2001 +From: DRC +Date: Tue, 12 Jun 2018 16:08:26 -0500 +Subject: [PATCH] Fix CVE-2018-11813 + +Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input +file (specifically, a file with a valid Targa header but incomplete pixel data) +would cause cjpeg to generate a JPEG file that was potentially thousands of +times larger than the input file. The Targa reader in cjpeg was not properly +detecting that the end of the input file had been reached prematurely, so after +all valid pixels had been read from the input, the reader injected dummy pixels +with values of 255 into the JPEG compressor until the number of pixels +specified in the Targa header had been compressed. The Targa reader in cjpeg +now behaves like the PPM reader and aborts compression if the end of the input +file is reached prematurely. Because this issue only affected cjpeg and not +the underlying library, and because it did not involve any out-of-bounds reads +or other exploitable behaviors, it was not believed to represent a security +threat. +--- + rdtarga.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/rdtarga.c b/rdtarga.c +index ecb4219..e0c6947 100644 +--- a/rdtarga.c ++++ b/rdtarga.c +@@ -126,11 +126,10 @@ METHODDEF(void) + read_non_rle_pixel(tga_source_ptr sinfo) + /* Read one Targa pixel from the input file; no RLE expansion */ + { +- register FILE *infile = sinfo->pub.input_file; + register int i; + + for (i = 0; i < sinfo->pixel_size; i++) { +- sinfo->tga_pixel[i] = (U_CHAR)getc(infile); ++ sinfo->tga_pixel[i] = (U_CHAR)read_byte(sinfo); + } + } + +@@ -139,7 +138,6 @@ METHODDEF(void) + read_rle_pixel(tga_source_ptr sinfo) + /* Read one Targa pixel from the input file, expanding RLE data as needed */ + { +- register FILE *infile = sinfo->pub.input_file; + register int i; + + /* Duplicate previously read pixel? */ +@@ -161,7 +159,7 @@ read_rle_pixel(tga_source_ptr sinfo) + + /* Read next pixel */ + for (i = 0; i < sinfo->pixel_size; i++) { +- sinfo->tga_pixel[i] = (U_CHAR)getc(infile); ++ sinfo->tga_pixel[i] = (U_CHAR)read_byte(sinfo); + } + } + +-- +2.17.1 + diff --git a/libjpeg-turbo.spec b/libjpeg-turbo.spec index 01650b1..f382949 100644 --- a/libjpeg-turbo.spec +++ b/libjpeg-turbo.spec @@ -1,12 +1,13 @@ Name: libjpeg-turbo Version: 1.5.90 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files License: IJG URL: http://sourceforge.net/projects/libjpeg-turbo Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz Patch0: libjpeg-turbo-cmake.patch +Patch1: libjpeg-turbo-CVE-2018-11813.patch BuildRequires: gcc BuildRequires: cmake @@ -69,6 +70,7 @@ manipulate JPEG files using the TurboJPEG library. %prep %setup -q %patch0 -p1 +%patch1 -p1 %build %{cmake} -DCMAKE_SKIP_RPATH:BOOL=YES \ @@ -168,6 +170,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} make test %{?_smp_mflags} %{_libdir}/pkgconfig/libturbojpeg.pc %changelog +* Fri Jun 15 2018 Nikola Forró - 1.5.90-2 +- Fix CVE-2018-11813 (#1588804) + * Wed Mar 28 2018 Nikola Forró - 1.5.90-1 - New upstream release 1.5.90 (#1560219)