oss-sec mailing list archives
CVE-2019-2201: libjpeg-turbo: code execution
From: Wolfgang Frisch <wolfgang.frisch () suse com>
Date: Mon, 11 Nov 2019 17:49:45 +0100
Hi, there is an integer overflow and subsequent heap corruption in libjpeg-turbo 2.0.3 and earlier. While I did not have anything to do with the discovery of the issue [1][2], I'd like to raise attention due to the high possible impact. Steps to reproduce: - Create a JPEG image, size 26755 x 26755, RGB with 8 bits per channel. - Run gdb tjbench
(gdb) run reproducer.jpeg Image size: 26755 x 26755 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7d44d9d in __memset_avx2_erms () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff7d44d9d in __memset_avx2_erms () from /lib64/libc.so.6 #1 0x0000555555558f7a in memset (__len=18446744071562074395, __ch=127, __dest=<optimized out>) at /usr/include/bits/string_fortified.h:71 #2 decomp (srcBuf=0x0, jpegBuf=0x7fffffffd8e0, jpegSize=0x7fffffffd8e8, dstBuf=<optimized out>, w=26755, h=26755, subsamp=2, jpegQual=0, fileName=0x7fffffffdfaa "CVE-2019-2201-reproducer-SEGFAULT-26755x26755", tilew=26755, tileh=26755) at /usr/src/debug/libjpeg-turbo-2.0.3-56.1.x86_64/tjbench.c:174 #3 0x0000555555557103 in decompTest (fileName=0x7fffffffdfaa "CVE-2019-2201-reproducer-SEGFAULT-26755x26755") at /usr/src/debug/libjpeg-turbo-2.0.3-56.1.x86_64/tjbench.c:712 #4 main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/libjpeg-turbo-2.0.3-56.1.x86_64/tjbench.c:1003
We identified that it crashed on writing to a libc.so mapping. The reproducer is also described in our bug report [3]. [1] https://source.android.com/security/bulletin/2019-11-01 [2] https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361 [3] https://bugzilla.suse.com/show_bug.cgi?id=1156402 Best regards, Wolfgang Frisch -- Wolfgang Frisch <wolfgang.frisch () suse com> Security Engineer OpenPGP fingerprint: A2E6 B7D4 53E9 544F BC13 D26B D9B3 56BD 4D4A 2D15 SUSE Software Solutions Germany GmbH Maxfeldstr. 5, 90409 Nuremberg, Germany (HRB 36809, AG Nürnberg) Managing Director: Felix Imendörffer
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2019-2201: libjpeg-turbo: code execution Wolfgang Frisch (Nov 11)
- Re: CVE-2019-2201: libjpeg-turbo: code execution pgajdos (Nov 12)