New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2017-9614 #167
Comments
|
I am unable to reproduce using djpeg. Please demonstrate the failure using only libjpeg-turbo. I don't debug other people's code. |
|
@mmuehlenhoff Please demonstrate how to reproduce this failure using only libjpeg-turbo, or I will be forced to assume that it is a downstream bug and close this tracker issue. Follow through on your bug reports if you want them fixed. Thanks. |
|
This is a bug in stills2dv caused by an abuse of the libjpeg API. This patch fixes it and probably improves performance as well. In the future, please do not submit bug reports against libjpeg-turbo unless the bug can be reproduced with libjpeg-turbo alone. Otherwise there is no way to know if the bug is a downstream bug, as this one was. There are numerous examples of how to properly use the libjpeg API to decompress an image, including in our own source code (in particular, https://github.com/libjpeg-turbo/libjpeg-turbo/blob/master/example.c#L283-L407 and https://github.com/libjpeg-turbo/libjpeg-turbo/blob/master/turbojpeg.c#L1381-L1487). The fact that a CVE was assigned to this without someone even bothering to check whether it was an application bug rather than a library bug is ridiculous. @mmuehlenhoff, I hope that you and other parties will immediately rescind that CVE and post an appropriate retraction, as it makes our project look bad when someone accuses us of a vulnerability that doesn't actually exist (in point of fact, this same issue was reproducible with any version of libjpeg as well, since the issue involved an abuse of the libjpeg API.) |
|
Hey there, I read about the CVE and ended up here - just to confirm, I understood that this issue is not caused by your code, right? If so, may I kindly ask what this patch is about which you have pasted here? |
|
"This is a bug in stills2dv caused by an abuse of the libjpeg API. This patch fixes it and probably improves performance as well." Sorry, I don't know how to be more clear than that. |
|
Ah, okay, I thought it was some kind of submodule of libjpeg. |
The follow was crash reported on the full-disclosure mailing list (It also includes a PoC) and was assigned CVE-2017-9614
http://seclists.org/fulldisclosure/2017/Jul/66
The text was updated successfully, but these errors were encountered: