Fix CVE-2018-11813 (#1588804)

2018-06-15 13:04:16 +02:00 · 2018-06-15 13:04:16 +02:00 · a2d36ac1a0
parent 00790f8027
commit a2d36ac1a0
2 changed files with 65 additions and 1 deletions
--- a/libjpeg-turbo-CVE-2018-11813.patch
+++ b/libjpeg-turbo-CVE-2018-11813.patch
@ -0,0 +1,59 @@
+From fccf53aed0093a626fca15f0d25f46fb6ed3e770 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 12 Jun 2018 16:08:26 -0500
+Subject: [PATCH] Fix CVE-2018-11813
+
+Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input
+file (specifically, a file with a valid Targa header but incomplete pixel data)
+would cause cjpeg to generate a JPEG file that was potentially thousands of
+times larger than the input file.  The Targa reader in cjpeg was not properly
+detecting that the end of the input file had been reached prematurely, so after
+all valid pixels had been read from the input, the reader injected dummy pixels
+with values of 255 into the JPEG compressor until the number of pixels
+specified in the Targa header had been compressed.  The Targa reader in cjpeg
+now behaves like the PPM reader and aborts compression if the end of the input
+file is reached prematurely.  Because this issue only affected cjpeg and not
+the underlying library, and because it did not involve any out-of-bounds reads
+or other exploitable behaviors, it was not believed to represent a security
+threat.
+---
+ rdtarga.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/rdtarga.c b/rdtarga.c
+index ecb4219..e0c6947 100644
+--- a/rdtarga.c
+++ b/rdtarga.c
+@@ -126,11 +126,10 @@ METHODDEF(void)
+ read_non_rle_pixel(tga_source_ptr sinfo)
+ /* Read one Targa pixel from the input file; no RLE expansion */
+ {
+-  register FILE *infile = sinfo->pub.input_file;
+   register int i;
+ 
+   for (i = 0; i < sinfo->pixel_size; i++) {
+-    sinfo->tga_pixel[i] = (U_CHAR)getc(infile);
+    sinfo->tga_pixel[i] = (U_CHAR)read_byte(sinfo);
+   }
+ }
+ 
+@@ -139,7 +138,6 @@ METHODDEF(void)
+ read_rle_pixel(tga_source_ptr sinfo)
+ /* Read one Targa pixel from the input file, expanding RLE data as needed */
+ {
+-  register FILE *infile = sinfo->pub.input_file;
+   register int i;
+ 
+   /* Duplicate previously read pixel? */
+@@ -161,7 +159,7 @@ read_rle_pixel(tga_source_ptr sinfo)
+ 
+   /* Read next pixel */
+   for (i = 0; i < sinfo->pixel_size; i++) {
+-    sinfo->tga_pixel[i] = (U_CHAR)getc(infile);
+    sinfo->tga_pixel[i] = (U_CHAR)read_byte(sinfo);
+   }
+ }
+ 
+-- 
+2.17.1
+
--- a/libjpeg-turbo.spec
+++ b/libjpeg-turbo.spec
@ -1,12 +1,13 @@
 Name:           libjpeg-turbo
 Version:        1.5.90
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files
 License:        IJG
 URL:            http://sourceforge.net/projects/libjpeg-turbo

 Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
 Patch0:         libjpeg-turbo-cmake.patch
+Patch1:         libjpeg-turbo-CVE-2018-11813.patch

 BuildRequires:  gcc
 BuildRequires:  cmake
@ -69,6 +70,7 @@ manipulate JPEG files using the TurboJPEG library.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1

 %build
 %{cmake} -DCMAKE_SKIP_RPATH:BOOL=YES \
@ -168,6 +170,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} make test %{?_smp_mflags}
 %{_libdir}/pkgconfig/libturbojpeg.pc

 %changelog
+* Fri Jun 15 2018 Nikola Forró <nforro@redhat.com> - 1.5.90-2
+- Fix CVE-2018-11813 (#1588804)
+
 * Wed Mar 28 2018 Nikola Forró <nforro@redhat.com> - 1.5.90-1
 - New upstream release 1.5.90 (#1560219)