[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Multiple Vulnerabilities in jpeg-xl (CVE-2021-27804)
From: Marc <mh () mh-sec ! de>
Date: 2021-02-27 11:33:42
Message-ID: fb908fa6-c542-c2a9-66fb-b38dc5e386ed () mh-sec ! de
[Download RAW message or body]
Multiple Vulnerabilities in jpeg-xl
===================================
CVE: CVE-2021-27804
Highest Severity Rating: High
Confirmed Affected Versions: jpeg-xl v0.3.1 and earlier
Vendor: Joint Photographic Experts Group (JPEG)
Vendor URL: https://gitlab.com/wg1/jpeg-xl
Summary and Impact
------------------
jpeg-xl is the reference implementation by the Joint Photographic
Experts Group (JPEG) of the new JPEG XL standard.
Multiple memory corruption vulnerabilities were found and reported in
the last 3 months. The security issues were responsively reported to
the vendor and were fixed in subsequent version, however silently.
The changelog does not reflect security issues being fixed:
jpeg-xl (0.3.2) urgency=medium
* Bump JPEG XL version to 0.3.2.
* Fix embedded ICC encoding regression #149.
-- Fri, 12 Feb 2021 21:00:12 +0100
jpeg-xl (0.3.1) urgency=medium
* Bump JPEG XL version to 0.3.1.
-- Tue, 09 Feb 2021 09:48:43 +0100
jpeg-xl (0.3) urgency=medium
* Bump JPEG XL version to 0.3.
-- Wed, 27 Jan 2021 22:36:32 +0100
All the while it is already being available e.g. in Arch Linux
(https://aur.archlinux.org/packages/libjpeg-xl-git/) and FreeBSD
(https://pkgs.org/download/jpeg-xl) and is currently in the process of
being added to Debian and therefore to Ubuntu and Kali Linux.
Hence the need to sit down and write a boring advisory to publish on a
mailing list instead of doing something more interesting :(
For anyone interested, the memory corruptions were discovered by using
the AFL++ fuzzer (https://github.com/AFLplusplus/AFLplusplus) for just a
few hours for testing purposes. The current v0.3.2 release of jpeg-xl
also produces writeable memory corruptions when fuzzing for a very short
time (with a good starting corpus that is).
Recommendation
--------------
The vendor should establish a proper notification on fixed security
issues in the changelog and not put the Internet at risk.
--
Marc Heuse
www.mh-sec.de
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic