Debian Bug report logs -
#373672
libjpeg-mmx: CVE-2006-3005: memory exhaustion
Reported by: Alec Berryman <alec@thened.net>
Date: Wed, 14 Jun 2006 23:03:07 UTC
Severity: important
Tags: patch, security
Done: Matej Vela <vela@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian QA Group <packages@qa.debian.org>:
Bug#373672; Package libjpeg-mmx.
(full text, mbox, link).
Acknowledgement sent to Alec Berryman <alec@thened.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian QA Group <packages@qa.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libjpeg-mmx
Severity: important
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3005: "The JPEG library in media-libs/jpeg before 6b-r7 on
Gentoo Linux is built without the -maxmem feature, which could allow
context-dependent attackers to cause a denial of service (memory
exhaustion) via a crafted JPEG file that exceeds the intended memory
limits."
Although the CVE is Gentoo-specific, Debian's libjpeg-mmx is not built
with --maxmem enabled, making it vulnerable. I have attached a trivial
patch to enable --maxmem to the same limit used in libjpeg62. The
Gentoo bug report mentioned in the CVE [1] contains a more elaborate
patch [2] that limits the maximum amount of allocatable memory to 95% of
physical memory. I believe the second patch is the better solution -
libjpeg62 sets maxmem to 1024MB, and that doesn't help much when mem +
swap is less than 1024 (the sample exploit image attached to the Gentoo
bug starts my computer thrashing).
Neither the Woody nor the Sarge version build with --maxmem and are
vulnerable.
Please mention the CVE in your changelog.
Thanks,
Alec
[1] http://bugs.gentoo.org/show_bug.cgi?id=130889
[2] http://bugs.gentoo.org/attachment.cgi?id=88029&action=view
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEkJN3Aud/2YgchcQRAv7UAKCL3GLZjODa6PbqNNlJe6Wdq0XMxQCfb3j7
Ykn3VKh6AClF8pIAaSBn8/Q=
=Dx7A
-----END PGP SIGNATURE-----
[CVE-2006-3005.diff (text/plain, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#373672; Package libjpeg-mmx.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(full text, mbox, link).
Message #10 received at 373672@bugs.debian.org (full text, mbox, reply):
On Wed, Jun 14, 2006 at 05:53:45PM -0500, Alec Berryman wrote:
> Package: libjpeg-mmx
> Severity: important
> Tags: security patch
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2006-3005: "The JPEG library in media-libs/jpeg before 6b-r7 on
> Gentoo Linux is built without the -maxmem feature, which could allow
> context-dependent attackers to cause a denial of service (memory
> exhaustion) via a crafted JPEG file that exceeds the intended memory
> limits."
>
> Although the CVE is Gentoo-specific, Debian's libjpeg-mmx is not built
> with --maxmem enabled, making it vulnerable. I have attached a trivial
> patch to enable --maxmem to the same limit used in libjpeg62. The
> Gentoo bug report mentioned in the CVE [1] contains a more elaborate
> patch [2] that limits the maximum amount of allocatable memory to 95% of
> physical memory. I believe the second patch is the better solution -
> libjpeg62 sets maxmem to 1024MB, and that doesn't help much when mem +
> swap is less than 1024 (the sample exploit image attached to the Gentoo
> bug starts my computer thrashing).
>
> Neither the Woody nor the Sarge version build with --maxmem and are
> vulnerable.
I don't see the point. There are valid use cases, where very large files
are required and if an admin encounters problems with users handling
overly large pictures she can apply site-specific resource limits.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#373672; Package libjpeg-mmx.
(full text, mbox, link).
Acknowledgement sent to Alec Berryman <alec@thened.net>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(full text, mbox, link).
Message #15 received at 373672@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Moritz Muehlenhoff on 2006-06-15 12:10:15 +0200:
> On Wed, Jun 14, 2006 at 05:53:45PM -0500, Alec Berryman wrote:
>
> > Although the CVE is Gentoo-specific, Debian's libjpeg-mmx is not built
> > with --maxmem enabled, making it vulnerable. I have attached a trivial
> > patch to enable --maxmem to the same limit used in libjpeg62. The
> > Gentoo bug report mentioned in the CVE [1] contains a more elaborate
> > patch [2] that limits the maximum amount of allocatable memory to 95% of
> > physical memory. I believe the second patch is the better solution -
> > libjpeg62 sets maxmem to 1024MB, and that doesn't help much when mem +
> > swap is less than 1024 (the sample exploit image attached to the Gentoo
> > bug starts my computer thrashing).
>
> I don't see the point. There are valid use cases, where very large files
> are required and if an admin encounters problems with users handling
> overly large pictures she can apply site-specific resource limits.
The sample exploit JPEG [1] is under 1kb; that's easily small enough to
smuggle into a web page or upload to an unsuspecting image processor.
That being said, while the exploit worked for me yesterday, it doesn't
for me today. I'm not sure what changed (or if I just screwed up the
first time); if no one can confirm this, it ought to be closed..
[1] http://bugs.gentoo.org/attachment.cgi?id=85214
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Matej Vela <vela@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #20 received at 373672-done@bugs.debian.org (full text, mbox, reply):
libjpeg-mmx has been removed from Debian due to serious bugs and
upstream inactivity. For details, see <http://bugs.debian.org/382584>.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Jun 2007 16:50:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:20:11 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon