Source: grave X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for grave. CVE-2024-11403[0]: | There exists an out of bounds read/write in LibJXL versions prior to | commit 9cc451b91b74ba470fd72bd48c121e9f33d24c99. The JPEG decoder | used by the JPEG XL encoder when doing JPEG recompression (i.e. if | using JxlEncoderAddJPEGFrame on untrusted input) does not properly | check bounds in the presence of incomplete codes. This could lead to | an out-of-bounds write. In jpegli which is released as part of the | same project, the same vulnerability is present. However, the | relevant buffer is part of a bigger structure, and the code makes no | assumptions on the values that could be overwritten. The issue could | however cause jpegli to read uninitialised memory, or addresses of | functions. https://github.com/libjxl/libjxl/commit/9cc451b91b74ba470fd72bd48c121e9f33d24c99 CVE-2024-11498[1]: | There exists a stack buffer overflow in libjxl. A specifically- | crafted file can cause the JPEG XL decoder to use large amounts of | stack space (up to 256mb is possible, maybe 512mb), potentially | exhausting the stack. An attacker can craft a file that will cause | excessive memory usage. We recommend upgrading past | commit 65fbec56bc578b6b6ee02a527be70787bbd053b0. https://github.com/libjxl/libjxl/pull/3943 https://github.com/libjxl/libjxl/commit/bf4781a2eed2eef664790170977d1d3d8347efb9 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-11403 https://www.cve.org/CVERecord?id=CVE-2024-11403 [1] https://security-tracker.debian.org/tracker/CVE-2024-11498 https://www.cve.org/CVERecord?id=CVE-2024-11498 Please adjust the affected versions in the BTS as needed.
