ports/169963: [PATCH] update graphics/libjpeg-turbo: update to 1.2.1
Denis E Podolskiy
bytestore at yandex.ru
Wed Jul 18 08:50:12 UTC 2012
>Number: 169963
>Category: ports
>Synopsis: [PATCH] update graphics/libjpeg-turbo: update to 1.2.1
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Wed Jul 18 08:50:11 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Denis E Podolskiy
>Release: 9.0-RELEASE
>Organization:
>Environment:
FreeBSD test.sys-media.ru 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root at farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
A Heap-based buffer overflow was found in the way libjpeg-turbo
decompressed certain corrupt JPEG images in which the component count
was erroneously set to a large value. An attacker could create a
specially-crafted JPEG image that, when opened, could cause an
application using libpng to crash or, possibly, execute arbitrary code
with the privileges of the user running the application.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=826849
http://libjpeg-turbo.svn.sourceforge.net/viewvc/libjpeg-turbo?view=revision&revision=830
This issue has been assigned CVE-2012-2806.
Upstream release of libjpeg-turbo-1.2.1 resolves this issue.
Thanx to Huzaifa Sidhpurwala / Red Hat Security Response Team
>How-To-Repeat:
>Fix:
update to libjpeg-turbo-1.2.1
Patch attached with submission follows:
--- ./Makefile.orig<--->2012-07-18 08:56:18.000000000 +0000
+++ ./Makefile<>2012-07-18 08:56:11.000000000 +0000
@@ -6,7 +6,7 @@
#
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list