libjpeg-turbo: User-assisted execution of arbitrary code — GLSA 201612-55

An out-of-bounds read in libjpeg-turbo might allow remote attackers to execute arbitrary code.

Affected Packages

media-libs/libjpeg-turbo on all architectures
Affected versions < 1.5.0
Unaffected versions >= 1.5.0

Background

libjpeg-turbo is a JPEG image codec that uses SIMD instructions (MMX, SSE2, NEON, AltiVec) to accelerate baseline JPEG compression and decompression.

Description

The accelerated Huffman decoder was previously invoked if there were 128 bytes in the input buffer. However, it is possible to construct a JPEG image with Huffman blocks > 430 bytes in length. This release simply increases the minimum buffer size for the accelerated Huffman decoder to 512 bytes, which should accommodate any possible input.

Impact

A remote attacker could coerce the victim to run a specially crafted image file resulting in the execution of arbitrary code.

Workaround

There is no known workaround at this time.

Resolution

All libjpeg-turbo users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-libs/libjpeg-turbo-1.5.0"
 

References

Release Date
December 31, 2016

Latest Revision
December 31, 2016: 1

Severity
normal

Exploitable
remote

Bugzilla entries