Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 11 Nov 2019 17:49:45 +0100
From: Wolfgang Frisch <wolfgang.frisch@...e.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2019-2201: libjpeg-turbo: code execution

Hi,

there is an integer overflow and subsequent heap corruption in
libjpeg-turbo 2.0.3 and earlier. While I did not have anything to do
with the discovery of the issue [1][2], I'd like to raise attention due
to the high possible impact.

Steps to reproduce:
- Create a JPEG image, size 26755 x 26755, RGB with 8 bits per channel.
- Run gdb tjbench

>(gdb) run reproducer.jpeg
>
> Image size: 26755 x 26755
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x00007ffff7d44d9d in __memset_avx2_erms () from /lib64/libc.so.6
> (gdb) bt
> #0  0x00007ffff7d44d9d in __memset_avx2_erms () from /lib64/libc.so.6
> #1  0x0000555555558f7a in memset (__len=18446744071562074395, __ch=127, __dest=<optimized out>) at /usr/include/bits/string_fortified.h:71
> #2  decomp (srcBuf=0x0, jpegBuf=0x7fffffffd8e0, jpegSize=0x7fffffffd8e8, dstBuf=<optimized out>, w=26755, h=26755, subsamp=2, jpegQual=0, 
>     fileName=0x7fffffffdfaa "CVE-2019-2201-reproducer-SEGFAULT-26755x26755", tilew=26755, tileh=26755) at /usr/src/debug/libjpeg-turbo-2.0.3-56.1.x86_64/tjbench.c:174
> #3  0x0000555555557103 in decompTest (fileName=0x7fffffffdfaa "CVE-2019-2201-reproducer-SEGFAULT-26755x26755") at /usr/src/debug/libjpeg-turbo-2.0.3-56.1.x86_64/tjbench.c:712
> #4  main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/libjpeg-turbo-2.0.3-56.1.x86_64/tjbench.c:1003

We identified that it crashed on writing to a libc.so mapping.

The reproducer is also described in our bug report [3].

[1] https://source.android.com/security/bulletin/2019-11-01
[2] https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361
[3] https://bugzilla.suse.com/show_bug.cgi?id=1156402

Best regards,
Wolfgang Frisch

-- 
Wolfgang Frisch <wolfgang.frisch@...e.com>
Security Engineer
OpenPGP fingerprint: A2E6 B7D4 53E9 544F BC13  D26B D9B3 56BD 4D4A 2D15
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nuremberg, Germany
(HRB 36809, AG N├╝rnberg)
Managing Director: Felix Imend├Ârffer









Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.