Debian Bug report logs -
#729867
libjpeg8: CVE-2013-6629
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Mon, 18 Nov 2013 12:48:02 UTC
Severity: important
Tags: patch, security
Fixed in version libjpeg8/8d-2
Done: Bill Allombert <ballombe@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bill Allombert <ballombe@debian.org>:
Bug#729867; Package libjpeg8.
(Mon, 18 Nov 2013 12:48:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bill Allombert <ballombe@debian.org>.
(Mon, 18 Nov 2013 12:48:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libjpeg8
Severity: important
Tags: security
Hi Bill.
I noticed the following in the recent Google Chrome release announcement:
http://googlechromereleases.blogspot.de/2013/11/stable-channel-update.html
| [258723] Medium CVE-2013-6629: Read of uninitialized memory in libjpeg and
| libjpeg-turbo. Credit to Michal Zalewski of Google.
The related Google bug is closed, but after some digging I found this
posting:
http://packetstormsecurity.com/files/123989/IJG-jpeg6b-libjpeg-turbo-Uninitialized-Memory.html
I don't think this warrants a DSA, but we could still fix this up in a point
release, let me know if you disagree.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#729867; Package libjpeg8.
(Mon, 18 Nov 2013 13:12:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Bill Allombert <ballombe@debian.org>:
Extra info received and forwarded to list.
(Mon, 18 Nov 2013 13:12:08 GMT) (full text, mbox, link).
Message #10 received at 729867@bugs.debian.org (full text, mbox, reply):
On Mon, Nov 18, 2013 at 01:37:59PM +0100, Moritz Muehlenhoff wrote:
> Package: libjpeg8
> Severity: important
> Tags: security
>
> Hi Bill.
> I noticed the following in the recent Google Chrome release announcement:
> http://googlechromereleases.blogspot.de/2013/11/stable-channel-update.html
>
> | [258723] Medium CVE-2013-6629: Read of uninitialized memory in libjpeg and
> | libjpeg-turbo. Credit to Michal Zalewski of Google.
>
> The related Google bug is closed, but after some digging I found this
> posting:
> http://packetstormsecurity.com/files/123989/IJG-jpeg6b-libjpeg-turbo-Uninitialized-Memory.html
>
> I don't think this warrants a DSA, but we could still fix this up in a point
> release, let me know if you disagree.
Thanks Moritz,
I also need to fix libjpeg6b and libjpeg8 in sid and testing.
Cheers,
--
Bill. <ballombe@debian.org>
Imagine a large red swirl here.
Information forwarded
to debian-bugs-dist@lists.debian.org, Bill Allombert <ballombe@debian.org>:
Bug#729867; Package libjpeg8.
(Sun, 01 Dec 2013 17:45:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Bill Allombert <ballombe@debian.org>.
(Sun, 01 Dec 2013 17:45:11 GMT) (full text, mbox, link).
Message #15 received at 729867@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: tag -1 patch
control: tag -1 pending
Hi, I've uploaded an nmu fixing this issue to delayed/5. Please see
attached patch.
Best wishes,
Mike
[jpeg.patch (text/x-patch, attachment)]
Added tag(s) patch.
Request was from Michael Gilbert <mgilbert@debian.org>
to 729867-submit@bugs.debian.org.
(Sun, 01 Dec 2013 17:45:11 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Michael Gilbert <mgilbert@debian.org>
to 729867-submit@bugs.debian.org.
(Sun, 01 Dec 2013 17:45:12 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#729867; Package libjpeg8.
(Sun, 01 Dec 2013 18:09:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Bill Allombert <ballombe@debian.org>:
Extra info received and forwarded to list.
(Sun, 01 Dec 2013 18:09:08 GMT) (full text, mbox, link).
Message #24 received at 729867@bugs.debian.org (full text, mbox, reply):
On Sun, Dec 01, 2013 at 12:41:26PM -0500, Michael Gilbert wrote:
> control: tag -1 patch
> control: tag -1 pending
>
> Hi, I've uploaded an nmu fixing this issue to delayed/5. Please see
> attached patch.
Thannks a lot!
Cheers,
--
Bill. <ballombe@debian.org>
Imagine a large red swirl here.
Reply sent
to Bill Allombert <ballombe@debian.org>:
You have taken responsibility.
(Tue, 03 Dec 2013 23:36:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Tue, 03 Dec 2013 23:36:05 GMT) (full text, mbox, link).
Message #29 received at 729867-close@bugs.debian.org (full text, mbox, reply):
Source: libjpeg8
Source-Version: 8d-2
We believe that the bug you reported is fixed in the latest version of
libjpeg8, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 729867@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bill Allombert <ballombe@debian.org> (supplier of updated libjpeg8 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 02 Dec 2013 23:11:23 +0100
Source: libjpeg8
Binary: libjpeg8 libjpeg8-dev libjpeg8-dbg libjpeg-progs
Architecture: source amd64
Version: 8d-2
Distribution: unstable
Urgency: high
Maintainer: Bill Allombert <ballombe@debian.org>
Changed-By: Bill Allombert <ballombe@debian.org>
Description:
libjpeg-progs - Programs for manipulating JPEG files
libjpeg8 - Independent JPEG Group's JPEG runtime library
libjpeg8-dbg - Development files for the IJG JPEG library
libjpeg8-dev - Development files for the IJG JPEG library
Closes: 729867
Changes:
libjpeg8 (8d-2) unstable; urgency=high
.
* Apply upstream patch to fix CVE-2013-6629 and CVE-2013-6630.
closes: #729867.
Checksums-Sha1:
a23672a7cb9d42d019951ecaa237718a3a0d723f 1165 libjpeg8_8d-2.dsc
1b9c17f9a791d17267f563fe1da42a7eb2a28324 14764 libjpeg8_8d-2.debian.tar.gz
82f77f57155b8c5720a644a18513aa0b7ee732ce 120270 libjpeg8_8d-2_amd64.deb
9468404ee2b9407f8b58e2462bcb44c3ee37174d 217334 libjpeg8-dev_8d-2_amd64.deb
10f254f9e2644a1391d05791b8e7e469a577aae2 268334 libjpeg8-dbg_8d-2_amd64.deb
9a7ac37f34cdbc6e92df9f7372b558797a1e3ff1 78656 libjpeg-progs_8d-2_amd64.deb
Checksums-Sha256:
add5d2fae5fb1efe6144462858a5f3f701a94dbbfb983623ea31d3db0f589106 1165 libjpeg8_8d-2.dsc
9b36468b2aba24d63d3c87625de89f31834ac429e6dec7d68d86a52b5110219c 14764 libjpeg8_8d-2.debian.tar.gz
de2f10daa6f328a2e71526a0d2d46ec0bf6ed30b260718492859020925697727 120270 libjpeg8_8d-2_amd64.deb
0ac3597ea737eb0b95d77de5bd8eb592cb3c97f7202b11b3198afce6535d601e 217334 libjpeg8-dev_8d-2_amd64.deb
648b42d0175359f66045d4032da9b73e268dbdf868e2dd02e83f41ba221dff83 268334 libjpeg8-dbg_8d-2_amd64.deb
7c9bd1875fc2322faccae666fcf246d54df77e7654b4f3da4faebb044120601f 78656 libjpeg-progs_8d-2_amd64.deb
Files:
4a5e628f52d2736b43cc10b0040c498a 1165 graphics optional libjpeg8_8d-2.dsc
efb851981026627f8722e4a9e0e13b62 14764 graphics optional libjpeg8_8d-2.debian.tar.gz
e20facda363c9f6ae57f992a5f98461c 120270 libs optional libjpeg8_8d-2_amd64.deb
2fd309f809ab4534c5244343bc94d0d8 217334 libdevel optional libjpeg8-dev_8d-2_amd64.deb
54a8b5ac27c5d376d162416051f9817e 268334 debug extra libjpeg8-dbg_8d-2_amd64.deb
5674384a322f5f7f9d287c6872d04ecc 78656 graphics optional libjpeg-progs_8d-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlKeZZgACgkQeDPs8bVESBXdOACeN6klSLd6iQoYlUTToo60iG7l
G2sAniwcDxjXN+4A9Urx3AUOEaJoJm83
=S5hz
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#729867; Package libjpeg8.
(Wed, 11 Dec 2013 12:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Bill Allombert <ballombe@debian.org>:
Extra info received and forwarded to list.
(Wed, 11 Dec 2013 12:03:08 GMT) (full text, mbox, link).
Message #34 received at 729867@bugs.debian.org (full text, mbox, reply):
On Mon, Nov 18, 2013 at 01:37:59PM +0100, Moritz Muehlenhoff wrote:
> Package: libjpeg8
> Severity: important
> Tags: security
>
> Hi Bill.
> I noticed the following in the recent Google Chrome release announcement:
> http://googlechromereleases.blogspot.de/2013/11/stable-channel-update.html
>
> | [258723] Medium CVE-2013-6629: Read of uninitialized memory in libjpeg and
> | libjpeg-turbo. Credit to Michal Zalewski of Google.
>
> The related Google bug is closed, but after some digging I found this
> posting:
> http://packetstormsecurity.com/files/123989/IJG-jpeg6b-libjpeg-turbo-Uninitialized-Memory.html
>
> I don't think this warrants a DSA, but we could still fix this up in a point
> release, let me know if you disagree.
Hello Moritz,
I have uploaded libjpeg8 8d-2 and libjpeg6b 6b1-4 (which are now in testing) and
are identical to the wheezy version except for this change.
So they can just be rebuild for wheezy and uploaded.
Cheers,
--
Bill. <ballombe@debian.org>
Imagine a large red swirl here.
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#729867; Package libjpeg8.
(Wed, 18 Dec 2013 17:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Bill Allombert <ballombe@debian.org>:
Extra info received and forwarded to list.
(Wed, 18 Dec 2013 17:18:04 GMT) (full text, mbox, link).
Message #39 received at 729867@bugs.debian.org (full text, mbox, reply):
On Wed, Dec 11, 2013 at 01:01:23PM +0100, Bill Allombert wrote:
> On Mon, Nov 18, 2013 at 01:37:59PM +0100, Moritz Muehlenhoff wrote:
> > Package: libjpeg8
> > Severity: important
> > Tags: security
>
> Hello Moritz,
> I have uploaded libjpeg8 8d-2 and libjpeg6b 6b1-4 (which are now in testing) and
> are identical to the wheezy version except for this change.
>
> So they can just be rebuild for wheezy and uploaded.
Do I need to do something for the wheezy update for libjpeg ?
Cheers,
--
Bill. <ballombe@debian.org>
Imagine a large red swirl here.
Information forwarded
to debian-bugs-dist@lists.debian.org, Bill Allombert <ballombe@debian.org>:
Bug#729867; Package libjpeg8.
(Wed, 18 Dec 2013 18:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Bill Allombert <ballombe@debian.org>.
(Wed, 18 Dec 2013 18:03:08 GMT) (full text, mbox, link).
Message #44 received at 729867@bugs.debian.org (full text, mbox, reply):
On Wed, Dec 18, 2013 at 06:15:22PM +0100, Bill Allombert wrote:
> On Wed, Dec 11, 2013 at 01:01:23PM +0100, Bill Allombert wrote:
> > On Mon, Nov 18, 2013 at 01:37:59PM +0100, Moritz Muehlenhoff wrote:
> > > Package: libjpeg8
> > > Severity: important
> > > Tags: security
> >
> > Hello Moritz,
> > I have uploaded libjpeg8 8d-2 and libjpeg6b 6b1-4 (which are now in testing) and
> > are identical to the wheezy version except for this change.
> >
> > So they can just be rebuild for wheezy and uploaded.
>
> Do I need to do something for the wheezy update for libjpeg ?
The process is outlined here:
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 16 Jan 2014 07:36:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:32:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon