N/A - GLSA-201612-55

Synopsis

An out-of-bounds read in libjpeg-turbo might allow remote attackers to execute arbitrary code.

Background

libjpeg-turbo is a JPEG image codec that uses SIMD instructions (MMX, SSE2, NEON, AltiVec) to accelerate baseline JPEG compression and decompression.

Description

The accelerated Huffman decoder was previously invoked if there were
128 bytes in the input buffer. However, it is possible to construct a JPEG image with Huffman blocks > 430 bytes in length. This release simply increases the minimum buffer size for the accelerated Huffman decoder to 512 bytes, which should accommodate any possible input.

Impact

A remote attacker could coerce the victim to run a specially crafted image file resulting in the execution of arbitrary code.

Workaround

There is no known workaround at this time.

Resolution

All libjpeg-turbo users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libjpeg-turbo-1.5.0"

References

[ 1 ] LJT-01-005
https://wiki.mozilla.org/images/7/77/Libjpeg-turbo-report.pdf
[ 2 ] Prevent overread when decoding malformed JPEG

https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0463f7c9aad060fcd56e98d025ce16185279e2bc

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

https://security.gentoo.org/glsa/201612-55