Tavis Ormandy of the Gentoo Linux Auditing Team discovered that the
vulnerable JPEG library ebuilds compile JPEG without the --maxmem
feature which is not recommended.
Impact
======
By enticing a user to load a specially crafted JPEG image file an
attacker could cause a Denial of Service, due to memory exhaustion.
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
Gentoo Linux Security Advisory GLSA 200606-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: JPEG library: Denial of Service
Date: June 11, 2006
Bugs: #130889
ID: 200606-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
The JPEG library is vulnerable to a Denial of Service.
Background
==========
The JPEG library is able to load, handle and manipulate images in the
JPEG format.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/jpeg < 6b-r7 >= 6b-r7
Description
===========
Tavis Ormandy of the Gentoo Linux Auditing Team discovered that the
vulnerable JPEG library ebuilds compile JPEG without the --maxmem
feature which is not recommended.
Impact
======
By enticing a user to load a specially crafted JPEG image file an
attacker could cause a Denial of Service, due to memory exhaustion.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
JPEG users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/jpeg-6b-r7"
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200606-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQBEjHnOzKC5hMHO6rkRAp0bAJ0WVjQmKpTlKHjyLWpASfjjTo6W7wCaA8Wh
gIt5JMi5qTDVjk8RcrSVJTQ=
=kueb
-----END PGP SIGNATURE-----
[ reply ]