http://bugzilla.opensuse.org/show_bug.cgi?id=989342 Bug ID: 989342 Summary: VUL-0: CVE-2016-6234, CVE-2016-6235, CVE-2016-6236, CVE-2016-6237, CVE-2016-6234: leptop: multiple issues Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: openSUSE 42.1 Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: mpluskal@suse.com Reporter: astieger@suse.com QA Contact: opensuse-communityscreening@forge.provo.novell.com CC: security-team@suse.de Found By: Security Response Team Blocker: --- Courtesy bug from the security team against Archiving/lepton. It is at 1.0, upstream is 1.2.1 and may still have fixes to come for the below. http://seclists.org/oss-sec/2016/q3/87 I just reported on dropbox/lepton github project some memory corruption issues, with reproducers. https://github.com/dropbox/lepton/issues/26 download some samples that will cause memory corruption problems in lepton: https://github.com/marcograss/marcograss.github.io/blob/master/assets/lepton... you can reproduce with ./lepton/lepton -singlethread -unjailed -preload testcase.jpeg /tmp/out.lep AddressSanitizer: unknown-crash READ of size 208 #0 0x52eb78 in std::__atomic_base::load(std::memory_order) const /usr/include/c++/6/bits/atomic_base.h:396 #1 0x52eb78 in std::__atomic_base::operator unsigned int() const /usr/include/c++/6/bits/atomic_base.h:259 #2 0x52eb78 in print_bill(int) src/vp8/util/billing.cc:145 #3 0x46b7f3 in process_file(IOUtil::FileReader, IOUtil::FileWriter, int, bool) src/lepton/jpgcoder.cc:1616 Use CVE-2016-6234. We think this is an issue in Lepton code. We were unable to find any relationship between src/vp8/util/billing.cc and the https://github.com/webmproject/libvpx/tree/master/vp8 code. AddressSanitizer: SEGV on unknown address #0 0x455163 in setup_imginfo_jpg(bool) src/lepton/jpgcoder.cc:4023 Use CVE-2016-6235. AddressSanitizer: global-buffer-overflow READ of size 2 #0 0x4571f0 in setup_imginfo_jpg(bool) src/lepton/jpgcoder.cc:4023 Use CVE-2016-6236 for this buffer over-read issue. AddressSanitizer: global-buffer-overflow WRITE of size 2 #0 0x45392c in build_huffcodes(unsigned char, unsigned char, huffCodes, huffTree) src/lepton/jpgcoder.cc:5099 Use CVE-2016-6237. AddressSanitizer: global-buffer-overflow READ of size 2 #0 0x4fe248 in ProbabilityTablesBase::set_quantization_table(BlockType, unsigned short const) src/vp8/model/model.hh:233 #1 0x4fe248 in VP8ComponentEncoder::vp8_full_encoder(UncompressedComponents const, IOUtil::FileWriter, ThreadHandoff const, unsigned int) src/lepton/vp8_encoder.cc:465 #2 0x47b3a8 in write_ujpg(std::vector >, std::vector >) src/lepton/jpgcoder.cc:3660 Use CVE-2016-6238 for this buffer over-read issue. We think this is an issue in Lepton code. We were unable to find any relationship between src/vp8/model/model.hh and the https://github.com/webmproject/libvpx/tree/master/vp8 code. -- You are receiving this mail because: You are on the CC list for the bug.