[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Multiple Vulnerabilities in jpeg-xl (CVE-2021-27804)
From:       Marc <mh () mh-sec ! de>
Date:       2021-02-27 11:33:42
Message-ID: fb908fa6-c542-c2a9-66fb-b38dc5e386ed () mh-sec ! de
[Download RAW message or body]


Multiple Vulnerabilities in jpeg-xl
===================================
CVE: CVE-2021-27804
Highest Severity Rating: High
Confirmed Affected Versions: jpeg-xl v0.3.1 and earlier
Vendor: Joint Photographic Experts Group (JPEG)
Vendor URL: https://gitlab.com/wg1/jpeg-xl


Summary and Impact
------------------
jpeg-xl is the reference implementation by the Joint Photographic
Experts Group (JPEG) of the new JPEG XL standard.
Multiple memory corruption vulnerabilities were found and reported in
the last 3 months. The security issues were responsively reported to
the vendor and were fixed in subsequent version, however silently.

The changelog does not reflect security issues being fixed:

jpeg-xl (0.3.2) urgency=medium

  * Bump JPEG XL version to 0.3.2.
  * Fix embedded ICC encoding regression #149.

 -- Fri, 12 Feb 2021 21:00:12 +0100

jpeg-xl (0.3.1) urgency=medium

  * Bump JPEG XL version to 0.3.1.

 -- Tue, 09 Feb 2021 09:48:43 +0100

jpeg-xl (0.3) urgency=medium

  * Bump JPEG XL version to 0.3.

 -- Wed, 27 Jan 2021 22:36:32 +0100

All the while it is already being available e.g. in Arch Linux
(https://aur.archlinux.org/packages/libjpeg-xl-git/) and FreeBSD
(https://pkgs.org/download/jpeg-xl) and is currently in the process of
being added to Debian and therefore to Ubuntu and Kali Linux.

Hence the need to sit down and write a boring advisory to publish on a
mailing list instead of doing something more interesting :(

For anyone interested, the memory corruptions were discovered by using
the AFL++ fuzzer (https://github.com/AFLplusplus/AFLplusplus) for just a
few hours for testing purposes. The current v0.3.2 release of jpeg-xl
also produces writeable memory corruptions when fuzzing for a very short
time (with a good starting corpus that is).


Recommendation
--------------
The vendor should establish a proper notification on fixed security
issues in the changelog and not put the Internet at risk.


-- 
Marc Heuse
www.mh-sec.de

PGP: AF3D 1D4C D810 F0BB 977D  3807 C7EE D0A0 6BE9 F573

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic