Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[ GLSA 200606-11 ] JPEG library: Denial of Service

From: Sune Kloppenborg Jeppesen <jaervosz () gentoo org>
Date: Sun, 11 Jun 2006 22:15:04 +0200
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200606-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: JPEG library: Denial of Service
      Date: June 11, 2006
      Bugs: #130889
        ID: 200606-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The JPEG library is vulnerable to a Denial of Service.

Background
==========

The JPEG library is able to load, handle and manipulate images in the
JPEG format.

Affected packages
=================

    -------------------------------------------------------------------
     Package          /  Vulnerable  /                      Unaffected
    -------------------------------------------------------------------
  1  media-libs/jpeg       < 6b-r7                            >= 6b-r7

Description
===========

Tavis Ormandy of the Gentoo Linux Auditing Team discovered that the
vulnerable JPEG library ebuilds compile JPEG without the --maxmem
feature which is not recommended.

Impact
======

By enticing a user to load a specially crafted JPEG image file an
attacker could cause a Denial of Service, due to memory exhaustion.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

JPEG users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-libs/jpeg-6b-r7"

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200606-11.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: