Published on March 4th, 2021 📆 | 4001 Views ⚑0
jpeg-xl 0.3.1 Memory Corruption ≈ Packet Storm
Highest Severity Rating: High
Confirmed Affected Versions: jpeg-xl v0.3.1 and earlier
Vendor: Joint Photographic Experts Group (JPEG)
Vendor URL: https://gitlab.com/wg1/jpeg-xl
Summary and Impact
jpeg-xl is the reference implementation by the Joint Photographic
Experts Group (JPEG) of the new JPEG XL standard.
Multiple memory corruption vulnerabilities were found and reported in
the last 3 months. The security issues were responsively reported to
the vendor and were fixed in subsequent version, however silently.
The changelog does not reflect security issues being fixed:
jpeg-xl (0.3.2) urgency=medium
* Bump JPEG XL version to 0.3.2.
* Fix embedded ICC encoding regression #149.
— Fri, 12 Feb 2021 21:00:12 +0100
jpeg-xl (0.3.1) urgency=medium
* Bump JPEG XL version to 0.3.1.
— Tue, 09 Feb 2021 09:48:43 +0100
jpeg-xl (0.3) urgency=medium
* Bump JPEG XL version to 0.3.
— Wed, 27 Jan 2021 22:36:32 +0100
All the while it is already being available e.g. in Arch Linux
(https://aur.archlinux.org/packages/libjpeg-xl-git/) and FreeBSD
(https://pkgs.org/download/jpeg-xl) and is currently in the process of
being added to Debian and therefore to Ubuntu and Kali Linux.
Hence the need to sit down and write a boring advisory to publish on a
mailing list instead of doing something more interesting 🙁
For anyone interested, the memory corruptions were discovered by using
the AFL++ fuzzer (https://github.com/AFLplusplus/AFLplusplus) for just a
few hours for testing purposes. The current v0.3.2 release of jpeg-xl
also produces writeable memory corruptions when fuzzing for a very short
time (with a good starting corpus that is).
The vendor should establish a proper notification on fixed security
issues in the changelog and not put the Internet at risk.
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573