libjpeg9: CVE-2016-3616: null pointer dereference in cjpeg

Debian Bug report logs - #819969
libjpeg9: CVE-2016-3616: null pointer dereference in cjpeg

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libjpeg9: CVE-2016-3616: null pointer dereference in cjpeg

Date: Mon, 04 Apr 2016 14:35:03 +0200

Source: libjpeg9
Version: 1:9b-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for libjpeg9. The issue
is in the cjpeg utility.

CVE-2016-3616[0]:
null pointer dereference in cjpeg

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-3616
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1319661
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1318509

Regards,
Salvatore

Message #10 received at 819969@bugs.debian.org (full text, mbox, reply):

From: Bill Allombert <ballombe@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 819969@bugs.debian.org

Subject: Re: Bug#819969: libjpeg9: CVE-2016-3616: null pointer dereference in cjpeg

Date: Mon, 4 Apr 2016 21:10:16 +0200

On Mon, Apr 04, 2016 at 02:35:03PM +0200, Salvatore Bonaccorso wrote:
> Source: libjpeg9
> Version: 1:9b-1
> Severity: important
> Tags: security upstream
> 
> Hi,
> 
> the following vulnerability was published for libjpeg9. The issue
> is in the cjpeg utility.
> 
> CVE-2016-3616[0]:
> null pointer dereference in cjpeg
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Hello Salvatore,

Upstream has confirmed that only cjpeg is affected, and so
only libjpeg-progs and not the binary package libjpeg9.

Thanks for your report!
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 

Message #15 received at 819969@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Bill Allombert <ballombe@debian.org>

Cc: 819969@bugs.debian.org

Subject: Re: Bug#819969: libjpeg9: CVE-2016-3616: null pointer dereference in cjpeg

Date: Tue, 5 Apr 2016 07:23:14 +0200

Hi Bill,

On Mon, Apr 04, 2016 at 09:10:16PM +0200, Bill Allombert wrote:
> On Mon, Apr 04, 2016 at 02:35:03PM +0200, Salvatore Bonaccorso wrote:
> > Source: libjpeg9
> > Version: 1:9b-1
> > Severity: important
> > Tags: security upstream
> > 
> > Hi,
> > 
> > the following vulnerability was published for libjpeg9. The issue
> > is in the cjpeg utility.
> > 
> > CVE-2016-3616[0]:
> > null pointer dereference in cjpeg
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> Hello Salvatore,
> 
> Upstream has confirmed that only cjpeg is affected, and so
> only libjpeg-progs and not the binary package libjpeg9.

Yes this is true, thus I have reported to the Source package since
vulnerable code is present. Untested, but I guess the same patch
applies as was for libjpeg-turbo to resolve the problem in the cjpeg
utility.

Thanks for quick followup and regards,
Salvatore

Message #20 received at 819969-close@bugs.debian.org (full text, mbox, reply):

From: Bill Allombert <ballombe@debian.org>

To: 819969-close@bugs.debian.org

Subject: Bug#819969: fixed in libjpeg9 1:9b-2

Date: Mon, 01 Aug 2016 22:40:11 +0000

Source: libjpeg9
Source-Version: 1:9b-2

We believe that the bug you reported is fixed in the latest version of
libjpeg9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 819969@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bill Allombert <ballombe@debian.org> (supplier of updated libjpeg9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 30 Jul 2016 13:27:31 +0200
Source: libjpeg9
Binary: libjpeg9 libjpeg9-dev libjpeg9-dbg libjpeg-progs
Architecture: source amd64
Version: 1:9b-2
Distribution: unstable
Urgency: low
Maintainer: Bill Allombert <ballombe@debian.org>
Changed-By: Bill Allombert <ballombe@debian.org>
Description:
 libjpeg-progs - Programs for manipulating JPEG files
 libjpeg9   - Independent JPEG Group's JPEG runtime library
 libjpeg9-dbg - Development files for the IJG JPEG library
 libjpeg9-dev - Development files for the IJG JPEG library
Closes: 819969
Changes:
 libjpeg9 (1:9b-2) unstable; urgency=low
 .
   * New patches:
      CVE-2016-3616, CVE-2016-3616-2:
      fix null pointer dereference in cjpeg [CVE-2016-3616]. Closes: #819969
   * debian/control:
     - Bump standard version to 3.9.7.
   * debian/rules: use dh_makeshlibs
Checksums-Sha1:
 1515d2da00be36711de180b05de831646430514f 1853 libjpeg9_9b-2.dsc
 bf1a09b7e64beac15fde627ce533d7c2ed049a7c 14412 libjpeg9_9b-2.debian.tar.xz
 a61cda58f476d210b3a82c193c40de4e0dd17bc2 83332 libjpeg-progs_9b-2_amd64.deb
 9fc715a58be693621adbe2a462d89e578ba82496 267474 libjpeg9-dbg_9b-2_amd64.deb
 a69806c715ab62f027b2fb5c7c070e0e45789a2d 219760 libjpeg9-dev_9b-2_amd64.deb
 ad0edbd1b671de09bbc3bd304dee735368e416df 122714 libjpeg9_9b-2_amd64.deb
Checksums-Sha256:
 acb49a057a1e7667a8268bcd4d211f6a303e4d59aaac1d03c9effc36f3e362fe 1853 libjpeg9_9b-2.dsc
 d2a201ded0cd1996905a9bd77d9d4dbb4ad5256a0bf157af2487d31115f4fbfe 14412 libjpeg9_9b-2.debian.tar.xz
 02488771c7c35c9781114bf334466498d0221c8523f97a18ae54f1a270e12d8e 83332 libjpeg-progs_9b-2_amd64.deb
 c2cc10c97a15fbafb4f8a622cb96af8b35928ef2c1da97fb8ef5a3e1b11322be 267474 libjpeg9-dbg_9b-2_amd64.deb
 10839b3dade9efba1e30879f24b6d3fdb88065b2514ecc49070d9950e2bf042a 219760 libjpeg9-dev_9b-2_amd64.deb
 ca478e1b5062bd42dcae0a14b329ce2ce8cab2c4e619e077551db75cafe23089 122714 libjpeg9_9b-2_amd64.deb
Files:
 edc610d12518cab8320cdf0b5975414c 1853 graphics optional libjpeg9_9b-2.dsc
 179c79e5af3fe8f6853719303c1f0135 14412 graphics optional libjpeg9_9b-2.debian.tar.xz
 05526bc763f8aa10c99e9b4061e5cfa5 83332 graphics optional libjpeg-progs_9b-2_amd64.deb
 a8b38abe6e26102cb63ccaf57daa50a4 267474 debug extra libjpeg9-dbg_9b-2_amd64.deb
 e3191d0b66b86137674b93877c5d687a 219760 libdevel optional libjpeg9-dev_9b-2_amd64.deb
 c2d91ffa7eaa0cc416b38fa23822c5e4 122714 libs optional libjpeg9_9b-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXn8coAAoJEI8OfCtFIuOH6KgP/jRHMpId5cgQe3wl5q95uK2J
OB9Kw0qg/ukOsC5U1QFWSjEtkMNonWvp7bqGqBKiIC2Zo44XZ8Rdw5KyEENWPb1q
T48NRGPRBPbjQJrDqllr8hgnL1R3Wfsn1QtTFqMweKDlxzFIM8tyrV6V/r/bk3Mq
MhYMWOsRjwM6wYOyvkvdNDRiOCvb9nWHawBrhtdQgULSkOm3MW4n94xWvj5feUYt
pGMI5IB250Mh5bWgtJxCEsQpMmk24bV0bWgL9fBBCSWDGOiaycopHzKzn+Bb5vzV
4dAg2Fy4P01uKqKIdXplKxpvRXYixzjmfdHFj2eT9uIOdZA4dSwoBB6GvyTH4ptF
sp6o0YuYWgjzttFT+V98OjXthdhsr5CiBSQLWfmgRY/x+2u9WaEZwTQBhfxMqFGj
Pv2zPFWkX48Q5qEo2OKl/c5dKV32yqUrNmdJnXYNXUkp35BHnexlRnSpvDMJK7IY
rASC2sRwiNXUIAgDOgSGRtj0Lg7lFYHLTIXleT+Y6vWoGOOOLKTyGoqQKtKPQRTD
6btPAIXnpNuU6I3ysGsti+aZmzgiRDKJIe9p4jJ18BJ5klifTFaPd4BVdfOVMWM8
tfzqBgJXz918mC6+F+hfBTJNR77H6TVLMHauA7ccJVDjp4xGDCy8T6ruo6TDrcP8
1IjprVByi2fe9KSZ8Jkg
=JkZZ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.