-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2018-14498 from libjpeg-turbo #2728
Comments
@oprisnik can you take a look at this one? |
Does anyone have any rough timescales on this one? We've failed a pen test due to this vulnerability and are on a really tight timescale to get it retested and passed before we can start a new contract Thanks! |
Bump |
Same here |
Yep, trying to close some CVE's on our app. Ideally bump |
Also trying to close some CVEs. Any updates on this? |
We have this on a pen test report too. |
We have this on a pen test report too. Any updates on this? |
Here also with the issue reported on a pen test |
any updates on this? |
Any updates on this? It's been years since this vulnerability was reported. |
Google app services still reports this as a vulnerability when trying to upload an application created with react-native due to the usage of this library. Is there any update? |
What's the risk of having this unpatched? |
@drstevenbrule the risk is a heap-based buffer over-read and application crash when libjpeg-turbo compresses certain specially-crafted 8-bit BMP files during conversion to JPEG. See NVD detail and this libjpeg-turbo commit. A good victim would be a social media application that shares user uploaded bitmap images which it converts to JPEG at display time. An attacker seeking denial of service could upload a malicious bitmap image and any user who would view that image will experience an application crash from the resulting out-of-bounds memory read during conversion. |
@cortinico if Fresco never under any circumstance uses libjpeg-turbo to manipulate BMP files, then this CVE cannot be exploited. Browsing the source code I don't think it ever does, but maybe a core contributor can confirm? An example of using it to instigate the crash is here with some appropriate BMP files available here. |
@cortinico @oprisnik would you take a look at #2768. |
@mnt @cortinico @oprisnik Any update here? This vulnerability has been sitting for some time. Thanks! |
We are planning to fix this by merging #2768. |
Summary: Thanks for submitting a PR! Please read these instructions carefully: - [x] Explain the **motivation** for making this change. - [x] Provide a **test plan** demonstrating that the code is solid. - [x] Match the **code formatting** of the rest of the codebase. - [x] Target the `main` branch ## Motivation (required) #2728 ## Test Plan (required) Test passed when it ran `createNativeLibrariesTasks` ## Next Steps Sign the [CLA][2], if you haven't already. Small pull requests are much easier to review and more likely to get merged. Make sure the PR does only one thing, otherwise please split it. Make sure all **tests pass** on [Circle CI][4]. PRs that break tests are unlikely to be merged. For more info, see the [Contributing guide][4]. [1]: https://medium.com/martinkonicek/what-is-a-test-plan-8bfc840ec171#.y9lcuqqi9 [2]: https://code.facebook.com/cla [3]: http://circleci.com/gh/facebook/fresco [4]: https://github.com/facebook/fresco/blob/main/CONTRIBUTING.md Pull Request resolved: #2768 Reviewed By: defHLT Differential Revision: D57862576 Pulled By: steelrooter fbshipit-source-id: 3f86c92c27db26e8f9596d227eb0f2184578a9e1
@steelrooter when can we take a release cut to upgrade Fresco on react-native? |
Summary: This resolves CVE-2018-14498 coming from libjpeg-turbo via Fresco. facebook/fresco#2728 Changelog: [Android] [Changed] - Bump Fresco to 3.2.0 to fix CVE-2018-14498 Reviewed By: javache Differential Revision: D58136396
Summary: This resolves CVE-2018-14498 coming from libjpeg-turbo via Fresco. facebook/fresco#2728 Changelog: [Android] [Changed] - Bump Fresco to 3.2.0 to fix CVE-2018-14498 Reviewed By: javache Differential Revision: D58136396
Closing as this was fixed in Fresco 3.2.0 |
Summary: Pull Request resolved: #44783 This resolves CVE-2018-14498 coming from libjpeg-turbo via Fresco. facebook/fresco#2728 Changelog: [Android] [Changed] - Bump Fresco to 3.2.0 to fix CVE-2018-14498 Reviewed By: javache Differential Revision: D58136396 fbshipit-source-id: 6889f082fac501d0915e444c4e1130bc08c66e6d
Description
The latest version of Fresco uses libjpeg-turbo and specifies version 1.5.3 here. This version of libjpeg-turbo is vulnerable to CVE-2018-14498.
Reproduction
I have no example of how the vulnerability may be exploited in the context of this project.
Solution
Upgrade libjpeg-turbo to a higher version which is not associated with any CVE. The minimum version which resolves CVE-2018-14498 is 2.0.0. You may wish to go higher, but be aware that some higher versions may have their own CVE. For example, you should not upgrade to version 2.0.1 as this version has CVE-2018-20330.
Additional Information
The text was updated successfully, but these errors were encountered: