[Bug 989342] New: VUL-0: CVE-2016-6234, CVE-2016-6235, CVE-2016-6236, CVE-2016-6237, CVE-2016-6234: leptop: multiple issues
http://bugzilla.opensuse.org/show_bug.cgi?id=989342 Bug ID: 989342 Summary: VUL-0: CVE-2016-6234, CVE-2016-6235, CVE-2016-6236, CVE-2016-6237, CVE-2016-6234: leptop: multiple issues Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: openSUSE 42.1 Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: mpluskal@suse.com Reporter: astieger@suse.com QA Contact: opensuse-communityscreening@forge.provo.novell.com CC: security-team@suse.de Found By: Security Response Team Blocker: --- Courtesy bug from the security team against Archiving/lepton. It is at 1.0, upstream is 1.2.1 and may still have fixes to come for the below. http://seclists.org/oss-sec/2016/q3/87 I just reported on dropbox/lepton github project some memory corruption issues, with reproducers. https://github.com/dropbox/lepton/issues/26 download some samples that will cause memory corruption problems in lepton: https://github.com/marcograss/marcograss.github.io/blob/master/assets/lepton... you can reproduce with ./lepton/lepton -singlethread -unjailed -preload testcase.jpeg /tmp/out.lep AddressSanitizer: unknown-crash READ of size 208 #0 0x52eb78 in std::__atomic_base::load(std::memory_order) const /usr/include/c++/6/bits/atomic_base.h:396 #1 0x52eb78 in std::__atomic_base::operator unsigned int() const /usr/include/c++/6/bits/atomic_base.h:259 #2 0x52eb78 in print_bill(int) src/vp8/util/billing.cc:145 #3 0x46b7f3 in process_file(IOUtil::FileReader, IOUtil::FileWriter, int, bool) src/lepton/jpgcoder.cc:1616 Use CVE-2016-6234. We think this is an issue in Lepton code. We were unable to find any relationship between src/vp8/util/billing.cc and the https://github.com/webmproject/libvpx/tree/master/vp8 code. AddressSanitizer: SEGV on unknown address #0 0x455163 in setup_imginfo_jpg(bool) src/lepton/jpgcoder.cc:4023 Use CVE-2016-6235. AddressSanitizer: global-buffer-overflow READ of size 2 #0 0x4571f0 in setup_imginfo_jpg(bool) src/lepton/jpgcoder.cc:4023 Use CVE-2016-6236 for this buffer over-read issue. AddressSanitizer: global-buffer-overflow WRITE of size 2 #0 0x45392c in build_huffcodes(unsigned char, unsigned char, huffCodes, huffTree) src/lepton/jpgcoder.cc:5099 Use CVE-2016-6237. AddressSanitizer: global-buffer-overflow READ of size 2 #0 0x4fe248 in ProbabilityTablesBase::set_quantization_table(BlockType, unsigned short const) src/vp8/model/model.hh:233 #1 0x4fe248 in VP8ComponentEncoder::vp8_full_encoder(UncompressedComponents const, IOUtil::FileWriter, ThreadHandoff const, unsigned int) src/lepton/vp8_encoder.cc:465 #2 0x47b3a8 in write_ujpg(std::vector >, std::vector >) src/lepton/jpgcoder.cc:3660 Use CVE-2016-6238 for this buffer over-read issue. We think this is an issue in Lepton code. We were unable to find any relationship between src/vp8/model/model.hh and the https://github.com/webmproject/libvpx/tree/master/vp8 code. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=989342 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|VUL-0: CVE-2016-6234, |VUL-0: CVE-2016-6234, |CVE-2016-6235, |CVE-2016-6235, |CVE-2016-6236, |CVE-2016-6236, |CVE-2016-6237, |CVE-2016-6237, |CVE-2016-6234: leptop: |CVE-2016-6234: lepton: |multiple issues |multiple memory handling | |issues -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=989342 http://bugzilla.opensuse.org/show_bug.cgi?id=989342#c2 --- Comment #2 from Martin Pluskal <mpluskal@suse.com> --- So far lepton has been updated to version 1.2.1+git.20160718, I think that at the moment most sensible aproach is to wait for upstream to fix it. At the moment this package is residing only in devel project so there should be no harm in waiting a bit. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com