Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200606-11 ] JPEG library: Denial of Service
Date: Sun, 11 Jun 2006 21:24:32
Message-Id: 200606112215.10115.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200606-11
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: JPEG library: Denial of Service
9 Date: June 11, 2006
10 Bugs: #130889
11 ID: 200606-11
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 The JPEG library is vulnerable to a Denial of Service.
19
20 Background
21 ==========
22
23 The JPEG library is able to load, handle and manipulate images in the
24 JPEG format.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 media-libs/jpeg < 6b-r7 >= 6b-r7
33
34 Description
35 ===========
36
37 Tavis Ormandy of the Gentoo Linux Auditing Team discovered that the
38 vulnerable JPEG library ebuilds compile JPEG without the --maxmem
39 feature which is not recommended.
40
41 Impact
42 ======
43
44 By enticing a user to load a specially crafted JPEG image file an
45 attacker could cause a Denial of Service, due to memory exhaustion.
46
47 Workaround
48 ==========
49
50 There is no known workaround at this time.
51
52 Resolution
53 ==========
54
55 JPEG users should upgrade to the latest version:
56
57 # emerge --sync
58 # emerge --ask --oneshot --verbose ">=media-libs/jpeg-6b-r7"
59
60 Availability
61 ============
62
63 This GLSA and any updates to it are available for viewing at
64 the Gentoo Security Website:
65
66 http://security.gentoo.org/glsa/glsa-200606-11.xml
67
68 Concerns?
69 =========
70
71 Security is a primary focus of Gentoo Linux and ensuring the
72 confidentiality and security of our users machines is of utmost
73 importance to us. Any security concerns should be addressed to
74 security@g.o or alternatively, you may file a bug at
75 http://bugs.gentoo.org.
76
77 License
78 =======
79
80 Copyright 2006 Gentoo Foundation, Inc; referenced text
81 belongs to its owner(s).
82
83 The contents of this document are licensed under the
84 Creative Commons - Attribution / Share Alike license.
85
86 http://creativecommons.org/licenses/by-sa/2.5
Report Message
Find on MARC Find on Google Groups