Bug#373672: libjpeg-mmx: CVE-2006-3005: memory exhaustion
On Wed, Jun 14, 2006 at 05:53:45PM -0500, Alec Berryman wrote:
> Package: libjpeg-mmx
> Severity: important
> Tags: security patch
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2006-3005: "The JPEG library in media-libs/jpeg before 6b-r7 on
> Gentoo Linux is built without the -maxmem feature, which could allow
> context-dependent attackers to cause a denial of service (memory
> exhaustion) via a crafted JPEG file that exceeds the intended memory
> limits."
>
> Although the CVE is Gentoo-specific, Debian's libjpeg-mmx is not built
> with --maxmem enabled, making it vulnerable. I have attached a trivial
> patch to enable --maxmem to the same limit used in libjpeg62. The
> Gentoo bug report mentioned in the CVE [1] contains a more elaborate
> patch [2] that limits the maximum amount of allocatable memory to 95% of
> physical memory. I believe the second patch is the better solution -
> libjpeg62 sets maxmem to 1024MB, and that doesn't help much when mem +
> swap is less than 1024 (the sample exploit image attached to the Gentoo
> bug starts my computer thrashing).
>
> Neither the Woody nor the Sarge version build with --maxmem and are
> vulnerable.
I don't see the point. There are valid use cases, where very large files
are required and if an admin encounters problems with users handling
overly large pictures she can apply site-specific resource limits.
Cheers,
Moritz
Reply to: