CVE-2018-14498 from libjpeg-turbo

facebook / fresco

An Android library for managing images and the memory they use.

https://frescolib.org/

MIT License

17.07k stars 3.75k forks source link

CVE-2018-14498 from libjpeg-turbo #2728

Closed bdeweygit closed 5 months ago

bdeweygit commented 1 year ago

Description

The latest version of Fresco uses libjpeg-turbo and specifies version 1.5.3 here. This version of libjpeg-turbo is vulnerable to CVE-2018-14498.

Reproduction

I have no example of how the vulnerability may be exploited in the context of this project.

Solution

Upgrade libjpeg-turbo to a higher version which is not associated with any CVE. The minimum version which resolves CVE-2018-14498 is 2.0.0. You may wish to go higher, but be aware that some higher versions may have their own CVE. For example, you should not upgrade to version 2.0.1 as this version has CVE-2018-20330.

Additional Information

Fresco version: 3.0.0
Because libjpeg-turbo is a C library and Java build tools cannot report vulnerable C libraries, do not expect a dependency scan to reveal vulnerabilities associated with the library.

cortinico commented 1 year ago

@oprisnik can you take a look at this one?

pyoung458 commented 1 year ago

Does anyone have any rough timescales on this one? We've failed a pen test due to this vulnerability and are on a really tight timescale to get it retested and passed before we can start a new contract

Thanks!

Skizu commented 1 year ago

Bump

jonathanm-tkf commented 1 year ago

Same here

dcjack commented 1 year ago

Yep, trying to close some CVE's on our app. Ideally bump libjpeg-turbo to ^3.0.0

gbower30 commented 1 year ago

Also trying to close some CVEs. Any updates on this?

dwxw commented 11 months ago

We have this on a pen test report too.

turabek commented 11 months ago

We have this on a pen test report too. Any updates on this?

enriqueviard commented 11 months ago

Here also with the issue reported on a pen test

mgalante commented 9 months ago

any updates on this?

try-catch-stack commented 9 months ago

Any updates on this? It's been years since this vulnerability was reported.

kbar163 commented 7 months ago

Google app services still reports this as a vulnerability when trying to upload an application created with react-native due to the usage of this library. Is there any update?

drstevenbrule commented 7 months ago

What's the risk of having this unpatched?

bdeweygit commented 7 months ago

@drstevenbrule the risk is a heap-based buffer over-read and application crash when libjpeg-turbo compresses certain specially-crafted 8-bit BMP files during conversion to JPEG. See NVD detail and this libjpeg-turbo commit. A good victim would be a social media application that shares user uploaded bitmap images which it converts to JPEG at display time. An attacker seeking denial of service could upload a malicious bitmap image and any user who would view that image will experience an application crash from the resulting out-of-bounds memory read during conversion.

bdeweygit commented 7 months ago

@cortinico if Fresco never under any circumstance uses libjpeg-turbo to manipulate BMP files, then this CVE cannot be exploited. Browsing the source code I don't think it ever does, but maybe a core contributor can confirm? An example of using it to instigate the crash is here with some appropriate BMP files available here.

mnt commented 6 months ago

@cortinico @oprisnik would you take a look at https://github.com/facebook/fresco/pull/2768.

royjayperryman commented 6 months ago

@mnt @cortinico @oprisnik Any update here? This vulnerability has been sitting for some time. Thanks!

steelrooter commented 5 months ago

We are planning to fix this by merging #2768.

mnt commented 5 months ago

@steelrooter when can we take a release cut to upgrade Fresco on react-native?

cortinico commented 5 months ago

Closing as this was fixed in Fresco 3.2.0