libjpeg-turbo bug which is using by flutter engine

[leo7723]

Flutter engine is using libjpeg-turbo with version '0fb821f3b2e570b2783a94ccd9a2fb1f4916ae9f'
My team find a bug on this version.
Detail: https://nvd.nist.gov/vuln/detail/CVE-2018-14498#range-5696424
Is this bug really matter? It looks like a serious problem.

[darshankawar]

@leo7723
Please elaborate more on the issue. Are you using any plugin for libjpeg-turbo ? Please provide flutter doctor -v and a minimal code sample that shows the bug. Also provide details around what exactly is the bug that you found and what should be the expected result.
Thanks.

[ds84182]

Can someone take a look at this? Are we using that version of libjpeg-turbo, or are we using the version bundled by Skia?

cc @Hixie

[leonard-hw]

hi，guys，is there any plan to solve this CVE(CVE-2018-14498) in the future flutter engine version?

[leonard-hw]

The CVE has been solved in the new version of libjpeg-turbo:
libjpeg-turbo/libjpeg-turbo@9c78a04

[leo7723]

They have already added an 'P4' label on this issues. I already find 2 security problem, both on 'P4' and none of them were resolved. Maybe you can make a merge request to solve the problem.

他们已经给这个问题定级为P4了。我一共提了俩安全问题都没有解决。我看你好像是同事，有可能还会撞上我提的另外一个问题。

[leonard-hw]

They have already added an 'P4' label on this issues. I already find 2 security problem, both on 'P4' and none of them were resolved. Maybe you can make a merge request to solve the problem.

他们已经给这个问题定级为P4了。我一共提了俩安全问题都没有解决。我看你好像是同事，有可能还会撞上我提的另外一个问题。

看到了，SP编译选项那个问题。。。

[mlf2020]

Version 3.0.5 of Flutter has libjpeg vulnerabilities（not the same like CVE-2018-14498）:
CVE-2020-14152
CVE-2020-14153

is there any plan to solve these in the future flutter engine version? serious problem.
this issue was opened in 2020，and it hasn't been solved for nearly 2 years???

[pwa-tapptic]

Our security tool has found the same issue (Android build only). Here are details about vulnerabilities:

• CVE-2018-14498: get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.
• CVE-2018-20330: The tjLoadImage function in libjpeg-turbo 2.0.1 has an integer overflow with a resultant heap-based buffer overflow via a BMP image because multiplication of pitch and height is mishandled, as demonstrated by tjbench.

Same issue is there even if we update Flutter from 3.0.5 to 3.3.4

[danielpif]

Same issue on Flutter 3.10.5 - still depends on `0fb821f3b2e570b2783a94ccd9a2fb1f4916ae9f', which is causing serious vulnerabilities in our app.

[ds84182]

The two referenced CVEs do not actually affect any code used by Flutter. They are within some of the tests/cli/example code part of libjpeg's source tree.

[danielpif]

In our scan it raised the following vulnerabilities:

• CVE-2020-17541
• CVE-2018-14498
• CVE-2018-20330

While checking the first one, it seems that the vulnerability isn't inside some example code (this is the fix: libjpeg-turbo/libjpeg-turbo@6bbc0a3)
Same for the second issue - libjpeg-turbo/libjpeg-turbo@cbe01e0

[ds84182]

While checking the first one, it seems that the vulnerability isn't inside some example code (this is the fix: libjpeg-turbo/libjpeg-turbo@6bbc0a3) Same for the second issue - libjpeg-turbo/libjpeg-turbo@cbe01e0

CVE-2020-17541 is only hit when losslessly transforming images with jpegtran (a command line utility) hence this part of the commit message:

Since this issue affected only lossless transformation, a workflow that
isn't generally exposed to arbitrary data exploits, and since the
overrun did not overflow the stack (i.e. it did not result in a segfault
or other user-visible issue, and valgrind didn't even detect it), it did
not likely pose a security risk.

CVE-2018-14498 and CVE-2018-20330 are only inside of the cjpeg command line utility, which converts between image formats. Specifically its within the BMP decoder as part of this utility. At no point does Flutter use libjpeg to decode BMPs.

All three CVEs are part of libjpeg command line utilities. Again I stress these are not used within Flutter, as Flutter does not use command line utilities from libjpeg at any point in time.