Bugzilla – Bug 1172491
VUL-1: CVE-2020-13790: libjpeg-turbo: heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file
Last modified: 2021-06-17 08:59:49 UTC
CVE-2020-13790 libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13790 http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-13790.html https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13790 https://github.com/libjpeg-turbo/libjpeg-turbo/issues/433
Created attachment 838489 [details] libjpeg-turbo-CVE-2020-13790-reproducer.zip QA REPRODUCER: valgrind -q cjpeg ./libjpeg-turbo-CVE-2020-13790-reproducer
BEFORE Indeed: TW,15,12/libjpeg-turbo and 10sp3,11/jpeg: $ valgrind -q cjpeg libjpeg-turbo-CVE-2020-13790-reproducer ==2280== Invalid read of size 1 ==2280== at 0x10B7C7: get_rgb_row (rdppm.c:434) ==2280== by 0x10A5C3: main (cjpeg.c:664) ==2280== Address 0x4a9ed36 is 15 bytes after a block of size 16,151 alloc'd ==2280== at 0x483877F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==2280== by 0x488B202: alloc_small (jmemmgr.c:318) ==2280== by 0x10F273: jinit_read_ppm (rdppm.c:757) ==2280== by 0x10A546: UnknownInlinedFun (cjpeg.c:118) ==2280== by 0x10A546: main (cjpeg.c:636) ==2280== ==2280== Invalid read of size 1 ==2280== at 0x10B7D2: get_rgb_row (rdppm.c:434) ==2280== by 0x10A5C3: main (cjpeg.c:664) ==2280== Address 0x4a9ed36 is 15 bytes after a block of size 16,151 alloc'd ==2280== at 0x483877F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==2280== by 0x488B202: alloc_small (jmemmgr.c:318) ==2280== by 0x10F273: jinit_read_ppm (rdppm.c:757) ==2280== by 0x10A546: UnknownInlinedFun (cjpeg.c:118) ==2280== by 0x10A546: main (cjpeg.c:636) ==2280== ==2280== Invalid read of size 1 ==2280== at 0x10B7E8: get_rgb_row (rdppm.c:434) ==2280== by 0x10A5C3: main (cjpeg.c:664) ==2280== Address 0x4a9ed36 is 15 bytes after a block of size 16,151 alloc'd ==2280== at 0x483877F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==2280== by 0x488B202: alloc_small (jmemmgr.c:318) ==2280== by 0x10F273: jinit_read_ppm (rdppm.c:757) ==2280== by 0x10A546: UnknownInlinedFun (cjpeg.c:118) ==2280== by 0x10A546: main (cjpeg.c:636) ==2280== Premature end of input file $ PATCH referenced in comment 0 AFTER $ valgrind -q cjpeg libjpeg-turbo-CVE-2020-13790-reproducer Premature end of input file $ [11,10sp3: use of uninitialized value remains, invalid read gone]
Submitted for TW,15,12/libjpeg-turbo and 11,10sp3/jpeg. I believe all fixed.
This is an autogenerated message for OBS integration: This bug (1172491) was mentioned in https://build.opensuse.org/request/show/812575 Factory / libjpeg-turbo
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2020-07-22. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64472
SUSE-SU-2020:2570-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1172491 CVE References: CVE-2020-13790 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): libjpeg-turbo-1.5.3-31.22.2, libjpeg62-turbo-1.5.3-31.22.2 SUSE Linux Enterprise Server 12-SP5 (src): libjpeg-turbo-1.5.3-31.22.2, libjpeg62-turbo-1.5.3-31.22.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2569-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1172491 CVE References: CVE-2020-13790 JIRA References: Sources used: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src): libjpeg-turbo-1.5.3-5.15.7 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src): libjpeg-turbo-1.5.3-5.15.7 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): libjpeg-turbo-1.5.3-5.15.7 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): libjpeg-turbo-1.5.3-5.15.7 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): libjpeg-turbo-1.5.3-5.15.7, libjpeg62-turbo-1.5.3-5.15.7 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): libjpeg-turbo-1.5.3-5.15.7, libjpeg62-turbo-1.5.3-5.15.7 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1413-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1172491 CVE References: CVE-2020-13790 JIRA References: Sources used: openSUSE Leap 15.1 (src): libjpeg-turbo-1.5.3-lp151.6.6.1, libjpeg62-turbo-1.5.3-lp151.6.6.1
Resolved.
openSUSE-SU-2020:1458-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1172491 CVE References: CVE-2020-13790 JIRA References: Sources used: openSUSE Leap 15.2 (src): libjpeg-turbo-1.5.3-lp152.8.3.1, libjpeg62-turbo-1.5.3-lp152.8.3.1