ltj update to 1.2.1+svn853

Bug #1012861 reported by Tom Gall on 2012-06-13
24
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libjpeg-turbo (Ubuntu)
Medium
Tom Gall
Precise
Medium
Tom Gall

Bug Description

This bug is a place holder to update to 1.2.1-svn833.

This picks up the following fixes:
  * update to stable release 1.2.1 r833
   * Guard against num_components being a ridiculous
     value due to a corrupt header
   * Preserve all 128 bits of xmm6 and xmm7

as well as getting Ubuntu onto the stable 1.2.x codebase which includes:

* Ensure that tjDecompress2() exits cleanly if setDecompDefaults() fails

and also includes the following from between +svn733 which is currently in precise and 1.2.1

* Fix the behavior of the alpha-enabled colorspace constants whenever libjpeg-turbo is built without SIMD support and merged upsampling is used.
* Allow RGB JPEG files to be created/decoded when using the LJT colorspace extensions
* Install docs when doing 'make install' on Unix; Fix 'install' target on Windows; Include wizard.txt, example.c, and structure.txt in installed docs
* Merge documentation and wordsmithing changes from 1.2, including promotion of -arithmetic to a "switch for advanced users"
* Merge copyright messages into one string and change the run-time messages to avoid confusion (we are not technically based on the latest libjpeg, although we do borrow some code from it)
* Add more extensive TurboJPEG regression tests
* Move test images into their own subdirectory
* Oops. Height of output buffer should equal scaled height, not JPEG height.
* Oops. Need to handle cases in which num_components > n
*

CVE References

Tom Gall (tom-gall) wrote :

updated packaged located in

ppa:tom-gall/packages

tested on x86_64, armel and armhf

Changed in libjpeg-turbo (Ubuntu):
assignee: nobody → Tom Gall (tom-gall)
status: New → Confirmed
Tom Gall (tom-gall) on 2012-07-02
summary: - ltj update to 1.2.1+svn833
+ ltj update to 1.2.1+svn853
Tom Gall (tom-gall) wrote :

Updating bug to go to 1.2.1+svn853

Packaged, tested and available at ppa:tom-gall/packages.

Tom Gall (tom-gall) wrote :

Adding SRU template with information.

[IMPACT]

 * This update is an opportunity to sync with the upstream stable release of 1.2.1 (as of SVN853)

 * This update includes a number of changes, they are:

* update to stable release 1.2.1 r853
* Cosmetic fixes to argument lists
* Added flags to the TurboJPEG API that allow the caller to force
the use of either the fast or the accurate DCT/IDCT algorithms
in the underlying codec.
* More recent versions of autoconf add -traditional-cpp to the CPP
flags, which causes jsimdcfg.inc.h to not preprocess correctly
unless we expand all of the instances of the #definev macro.
* Fixed regression caused by a bug in the 32-bit strict memory access
code in jdmrgss2.asm (contributed by Chromium to stop valgrind from
whining whenever the output buffer size was not evenly divisible by
16 bytes.) On Linux/x86, this regression generated incorrect
pixels on the right-hand side of images whose rows were not 16-byte
aligned, whenever fancy upsampling was used. This patch also
enables the strict memory access code on all platforms, not just
Linux (it does no harm on other platforms) and removes a couple of
pcmpeqb instructions that were rendered unnecessary by r835.
* Accelerated 4:2:2 upsampling routine for ARM (improves
performance ~20-30% when decompressing 4:2:2 JPEGs using
fancy upsampling)
* Eliminate the use of the MASKMOVDQU instruction, to speed
up decompression performance by 10x on AMD Bobcat embedded
processors (and ~5% on AMD desktop processors.)
* add tjbench to libjpeg-turbo-test packages
* Guard against num_components being a ridiculous
value due to a corrupt header
* Preserve all 128 bits of xmm6 and xmm7

[TESTCASE]

 * make test passes which runs the libjpeg-turbo test suite. This has been run on armhf and x86_64 and x86

[Regression Potential]

 * libjpeg-turbo is fairly stable. Libjpeg however can be considered a core library and a number of applications do link to it. If there is an error, image effects in eog, or other graphical applications will be the likely result.

[Other Info]

 * There are fixes included in the java source code bindings, however since this is not built, these changes do not have an effect.
 * None of the changes since the last version in the archive and this candidate version are for security.

Tom Gall (tom-gall) on 2012-07-02
Changed in libjpeg-turbo (Ubuntu):
status: Confirmed → In Progress
Tom Gall (tom-gall) wrote :

updated libjpeg-turbo_1.2.1+svn853-1ubuntu6
ppa:tom-gall/packages

 * fixes LP:1012861 - update to stable 1.2.1
  * fixes LP:1025537 addressing CVE-2012-2806
    A Heap-based buffer overflow was found in the way libjpeg-turbo
    decompressed certain corrupt JPEG images in which the component count
    was erroneously set to a large value. An attacker could create a
    specially-crafted JPEG image that, when opened, could cause an
    application using libpng to crash or, possibly, execute arbitrary code
    with the privileges of the user running the application.
  * fixes LP:1012861 - update to stable 1.2.1 r853
   * Cosmetic fixes to argument lists
   * Added flags to the TurboJPEG API that allow the caller to force
     the use of either the fast or the accurate DCT/IDCT algorithms
     in the underlying codec.
   * More recent versions of autoconf add -traditional-cpp to the CPP
     flags, which causes jsimdcfg.inc.h to not preprocess correctly
     unless we expand all of the instances of the #definev macro.
   * Fixed regression caused by a bug in the 32-bit strict memory access
     code in jdmrgss2.asm (contributed by Chromium to stop valgrind from
     whining whenever the output buffer size was not evenly divisible by
     16 bytes.) On Linux/x86, this regression generated incorrect
     pixels on the right-hand side of images whose rows were not 16-byte
     aligned, whenever fancy upsampling was used. This patch also
     enables the strict memory access code on all platforms, not just
     Linux (it does no harm on other platforms) and removes a couple of
     pcmpeqb instructions that were rendered unnecessary by r835.
   * Accelerated 4:2:2 upsampling routine for ARM (improves
     performance ~20-30% when decompressing 4:2:2 JPEGs using
     fancy upsampling)
   * Eliminate the use of the MASKMOVDQU instruction, to speed
     up decompression performance by 10x on AMD Bobcat embedded
     processors (and ~5% on AMD desktop processors.)
   * add tjbench to libjpeg-turbo-test packages
   * Guard against num_components being a ridiculous
     value due to a corrupt header
   * Preserve all 128 bits of xmm6 and xmm7

Matthias Klose (doko) wrote :

sru (precise), and ffe (quantal) needed. the package looks ok from my point of view, the upstream updates are regression fixes and other bug fixes only.

Tom, how was the package tested?

Changed in libjpeg-turbo (Ubuntu):
milestone: none → ubuntu-12.10-beta-2
Changed in libjpeg-turbo (Ubuntu Precise):
milestone: none → precise-updates
assignee: nobody → Tom Gall (tom-gall)
importance: Undecided → Medium
Changed in libjpeg-turbo (Ubuntu):
importance: Undecided → Medium
Changed in libjpeg-turbo (Ubuntu Precise):
status: New → Confirmed
Adam Conrad (adconrad) wrote :

The FFe for quantal seems perfectly reasonable. Go ahead and make that happen. Once it's been in Q for a while and proven reliable, perhaps that would be a better time to discuss this as an SRU.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libjpeg-turbo - 1.2.1-0ubuntu1

---------------
libjpeg-turbo (1.2.1-0ubuntu1) quantal; urgency=low

  [ Tom Gall ]
  * Update to stable 1.2.1. LP: #1012861.
    * Addresses CVE-2012-2806. LP: #1025537.
      A Heap-based buffer overflow was found in the way libjpeg-turbo
      decompressed certain corrupt JPEG images in which the component count
      was erroneously set to a large value. An attacker could create a
      specially-crafted JPEG image that, when opened, could cause an
      application using libpng to crash or, possibly, execute arbitrary code
      with the privileges of the user running the application.
    * Cosmetic fixes to argument lists
    * Added flags to the TurboJPEG API that allow the caller to force
      the use of either the fast or the accurate DCT/IDCT algorithms
      in the underlying codec.
    * More recent versions of autoconf add -traditional-cpp to the CPP
      flags, which causes jsimdcfg.inc.h to not preprocess correctly
      unless we expand all of the instances of the #definev macro.
    * Fixed regression caused by a bug in the 32-bit strict memory access
      code in jdmrgss2.asm (contributed by Chromium to stop valgrind from
      whining whenever the output buffer size was not evenly divisible by
      16 bytes.) On Linux/x86, this regression generated incorrect
      pixels on the right-hand side of images whose rows were not 16-byte
      aligned, whenever fancy upsampling was used. This patch also
      enables the strict memory access code on all platforms, not just
      Linux (it does no harm on other platforms) and removes a couple of
      pcmpeqb instructions that were rendered unnecessary by r835.
    * Accelerated 4:2:2 upsampling routine for ARM (improves
      performance ~20-30% when decompressing 4:2:2 JPEGs using
      fancy upsampling)
    * Eliminate the use of the MASKMOVDQU instruction, to speed
      up decompression performance by 10x on AMD Bobcat embedded
      processors (and ~5% on AMD desktop processors.)
    * add tjbench to libjpeg-turbo-test packages
    * Guard against num_components being a ridiculous
      value due to a corrupt header
    * Preserve all 128 bits of xmm6 and xmm7

  [ Matthias Klose ]
  * Prepare the package for quantal, basing on the 1.2.1 release tarball.
  * d/patches/branch-updates.diff: Update to 20120919 of the 1.2.x branch,
    but don't bump the version to 1.2.2.
  * d/patches/guard-inline-define: Remove, integrated upstream.
 -- Matthias Klose <email address hidden> Thu, 20 Sep 2012 00:18:15 +0200

Changed in libjpeg-turbo (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers