Package: libjpeg-mmx
Severity: important
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3005: "The JPEG library in media-libs/jpeg before 6b-r7 on
Gentoo Linux is built without the -maxmem feature, which could allow
context-dependent attackers to cause a denial of service (memory
exhaustion) via a crafted JPEG file that exceeds the intended memory
limits."
Although the CVE is Gentoo-specific, Debian's libjpeg-mmx is not built
with --maxmem enabled, making it vulnerable. I have attached a trivial
patch to enable --maxmem to the same limit used in libjpeg62. The
Gentoo bug report mentioned in the CVE [1] contains a more elaborate
patch [2] that limits the maximum amount of allocatable memory to 95% of
physical memory. I believe the second patch is the better solution -
libjpeg62 sets maxmem to 1024MB, and that doesn't help much when mem +
swap is less than 1024 (the sample exploit image attached to the Gentoo
bug starts my computer thrashing).
Neither the Woody nor the Sarge version build with --maxmem and are
vulnerable.
Please mention the CVE in your changelog.
Thanks,
Alec
[1] http://bugs.gentoo.org/show_bug.cgi?id=130889
[2] http://bugs.gentoo.org/attachment.cgi?id=88029&action=view
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEkJN3Aud/2YgchcQRAv7UAKCL3GLZjODa6PbqNNlJe6Wdq0XMxQCfb3j7
Ykn3VKh6AClF8pIAaSBn8/Q=
=Dx7A
-----END PGP SIGNATURE-----
--- debian/rules 2006-06-14 17:04:51.387093389 -0500
+++ debian/rules.new 2006-06-14 17:04:46.338577763 -0500
@@ -5,7 +5,7 @@
configure: configure-stamp
configure-stamp:
dh_testdir
- ./configure --prefix=/usr --mandir=\$${prefix}/share/man
--infodir=\$${prefix}/share/info
+ ./configure --prefix=/usr --mandir=\$${prefix}/share/man
--infodir=\$${prefix}/share/info --enable-maxmem=1024
touch configure-stamp
