Debian Bug report logs -
#1017608
jpegqs: CVE-2022-35434 - floating point exception with corrupt image
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, codehelp@debian.org, team@security.debian.org, Adam Borowski <kilobyte@angband.pl>:
Bug#1017608; Package src:jpegqs.
(Thu, 18 Aug 2022 10:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Neil Williams <codehelp@debian.org>:
New Bug report received and forwarded. Copy sent to codehelp@debian.org, team@security.debian.org, Adam Borowski <kilobyte@angband.pl>.
(Thu, 18 Aug 2022 10:33:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jpegqs
Version: 1.20210408-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for jpegqs.
CVE-2022-35434[0]:
| jpeg-quantsmooth before commit 8879454 contained a floating point
| exception (FPE) via /jpeg-quantsmooth/jpegqs+0x4f5d6c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-35434
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35434
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.18.0-4-amd64 (SMP w/6 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#1017608; Package src:jpegqs.
(Thu, 18 Aug 2022 12:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Adam Borowski <kilobyte@angband.pl>:
Extra info received and forwarded to list.
(Thu, 18 Aug 2022 12:39:03 GMT) (full text, mbox, link).
Message #12 received at 1017608@bugs.debian.org (full text, mbox, reply):
On Thu, Aug 18, 2022 at 11:29:44AM +0100, Neil Williams wrote:
> Source: jpegqs
> Severity: important
> Tags: security upstream
> The following vulnerability was published for jpegqs.
>
> CVE-2022-35434[0]:
> | jpeg-quantsmooth before commit 8879454 contained a floating point
> | exception (FPE) via /jpeg-quantsmooth/jpegqs+0x4f5d6c.
Hi,
I don't quite see why that would be a security issue. Crashing on a
corrupted image is not nice, but the result is hardly different from
failing with a proper error message. The division by zero is not
something that can be exploited further.
The package hasn't yet been a part of a stable release, though, thus
either way a regular upload to unstable should be enough.
If there's anything else I need to do, please shout.
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2022-35434
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35434
Meow!
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋⠀ You're alive. But that's just a phase.
⠈⠳⣄⠀⠀⠀⠀
Reply sent
to Adam Borowski <kilobyte@angband.pl>:
You have taken responsibility.
(Thu, 18 Aug 2022 12:51:06 GMT) (full text, mbox, link).
Notification sent
to Neil Williams <codehelp@debian.org>:
Bug acknowledged by developer.
(Thu, 18 Aug 2022 12:51:06 GMT) (full text, mbox, link).
Message #17 received at 1017608-close@bugs.debian.org (full text, mbox, reply):
Source: jpegqs
Source-Version: 1.20210408-3
Done: Adam Borowski <kilobyte@angband.pl>
We believe that the bug you reported is fixed in the latest version of
jpegqs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1017608@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Borowski <kilobyte@angband.pl> (supplier of updated jpegqs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 18 Aug 2022 14:23:00 +0200
Source: jpegqs
Architecture: source
Version: 1.20210408-3
Distribution: unstable
Urgency: medium
Maintainer: Adam Borowski <kilobyte@angband.pl>
Changed-By: Adam Borowski <kilobyte@angband.pl>
Closes: 1017608
Changes:
jpegqs (1.20210408-3) unstable; urgency=medium
.
* Fix a divide by zero on corrupted images (closes: #1017608,
CVE-2022-35434).
Checksums-Sha1:
7a73c243212a7dd4f44eae3e49cc4a73939e85a2 1854 jpegqs_1.20210408-3.dsc
f06871fe0b8c7d0211b0d4a44f2a78e0778da0b2 2836 jpegqs_1.20210408-3.debian.tar.xz
f3bf501160dcd80cb58b438ad9ca4f173e23312d 5836 jpegqs_1.20210408-3_source.buildinfo
Checksums-Sha256:
8c854107bf1a7ef909f595ff0e7952c89f30fbc7ca1b2398600fde1068cec375 1854 jpegqs_1.20210408-3.dsc
317a898b4e9b31cf99c188f245247c139381b19370f2b7de0cf52212a79342c7 2836 jpegqs_1.20210408-3.debian.tar.xz
9e952dffe3a9b32788add98e751f01b34a3843bd56a0fe6bb694f16ea619bf7b 5836 jpegqs_1.20210408-3_source.buildinfo
Files:
29a9ff1141c3326983d47efc72cc5f88 1854 graphics optional jpegqs_1.20210408-3.dsc
36e6565e063bd6f07957745191dd76e3 2836 graphics optional jpegqs_1.20210408-3.debian.tar.xz
898718d7e5bcefc03b66a8dfa1ca25d4 5836 graphics optional jpegqs_1.20210408-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAmL+Mi0ACgkQweDZLphv
fH6wDxAAh4ekGIB2vC2DX8dNSoXBBhQIoYdJQG4D8/kZANTM+H/NAhKnNPx9c2+h
Rak+FO/jhckTUQUeYrqdh4J7npNRTIOYnsiw1a6Audgj9yRPTFO5Jcpa1+3kweth
kmzJk7B+gGLl1HCaJPAPn8/3HIPhJjkcHKGyqOTzsUcggwPDv2C1rnJed6L0A2U0
etZhXb6UxcQuIEHljo9Eevn952L3wTleN6xqyKwG9Jl9CgSFYIAOqgdEzBkTxNxH
lINHee0g7ZlS9ON6zKAsp7jPk0LyjCvdiroc3NQb67bYedEsuqA35Y4FQQ/9vhCE
AUytZvTTBLXCEFxgKhfIAvR5ZlFCgeMDu9TXz8YyVySqmnICXAhMSpOnkkfaiNiM
TrNIoZjlrzsvLuzJ7OdAEZxOyOYEVph7HTTxN3+j0IFPm/cnorOJK8RglHJy7Hnt
xZUskimxOTRPUdG1CG8jzb3pexakUPMsV5jAVxZn/Pcr/DFGdPDjDjrVZvjv0uk3
G81SOIwA6PjNttpc3VtocVRJ8eFZPgMJnRCuwpenb6cUg0ZvdOUowBwjWyc/SFs4
BkIL6c5GH1rCfedp0+BHRqZnLSsmptdEv5iDWdo+Z8zR75xst3e2154HLbNoqXCF
Sm7p/KaugKa3Sdam43arRalWWApWJr3ZU+UAQqJiPu7q2RCzvyw=
=Mu3M
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Aug 18 13:18:40 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon