[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#373672: libjpeg-mmx: CVE-2006-3005: memory exhaustion

Moritz Muehlenhoff on 2006-06-15 12:10:15 +0200:

> On Wed, Jun 14, 2006 at 05:53:45PM -0500, Alec Berryman wrote:
> > Although the CVE is Gentoo-specific, Debian's libjpeg-mmx is not built
> > with --maxmem enabled, making it vulnerable.  I have attached a trivial
> > patch to enable --maxmem to the same limit used in libjpeg62.  The
> > Gentoo bug report mentioned in the CVE [1] contains a more elaborate
> > patch [2] that limits the maximum amount of allocatable memory to 95% of
> > physical memory.  I believe the second patch is the better solution -
> > libjpeg62 sets maxmem to 1024MB, and that doesn't help much when mem +
> > swap is less than 1024 (the sample exploit image attached to the Gentoo
> > bug starts my computer thrashing).
> I don't see the point. There are valid use cases, where very large files
> are required and if an admin encounters problems with users handling
> overly large pictures she can apply site-specific resource limits.

The sample exploit JPEG [1] is under 1kb; that's easily small enough to
smuggle into a web page or upload to an unsuspecting image processor.

That being said, while the exploit worked for me yesterday, it doesn't
for me today.  I'm not sure what changed (or if I just screwed up the
first time); if no one can confirm this, it ought to be closed..

[1] http://bugs.gentoo.org/attachment.cgi?id=85214

Attachment: pgp4yAwH2INGH.pgp
Description: PGP signature

Reply to: