1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202210-36 ] libjxl: Denial of Service

    From glsamaker@gentoo.org@21:1/5 to All on Mon Oct 31 21:40:01 2022
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202210-36
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Low
    Title: libjxl: Denial of Service
    Date: October 31, 2022
    Bugs: #856037
    ID: 202210-36

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been found in libjxl which could result in denial of service.

    Background
    ==========

    libjxl is the JPEG XL image format reference implementation.

    Affected packages
    =================

    -------------------------------------------------------------------
    Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
    1 media-libs/libjxl < 0.7.0_pre20220825>= 0.7.0_pre20220825

    Description
    ===========

    libjxl contains an unecessary assertion in
    jxl::LowMemoryRenderPipeline::Init.

    Impact
    ======

    An attacker can cause a denial of service of the libjxl process via a
    crafted input file.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-libs/libjxl-0.7.0_pre20220825"

    References
    ==========

    [ 1 ] CVE-2022-34000
    https://nvd.nist.gov/vuln/detail/CVE-2022-34000

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202210-36

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2022 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmNgLlAACgkQFMQkOaVy +9kKZw/+NBVwnYZgGxwSVSjXNGmoSeLVREdwICTNMxx7Ii7atfZ/dApBEX/VdDBT j/4XlhytcB0A9wWxsyqhgt42J0VtOVg4GOauFoK0CtfwmrRFUaK+8wwvn6ZftjPz v972sRsFDB0luBnjWLlfVFNagAUdqFJE+fGrEJhQR300dXNDt8SUtpc6Rx8CH1S0 MQTQ7Te/J1wixYSY5byyfr9CH0qzX1/mj/rf7kitLSpD666m75p5K5iG16fwqOzE nvjDwyjDh83M74zY8ilQd0Zisb/F/jyHDcwLomO2OrhHTKPdT6C8851aWnIivmxC uRnY2Q5Z+WQjlwNsCa9/x0d0MvzEDqeA2PrKMajpx5wrxSqz7p6g7Eh1kWGl9LDR uW185SI4QDgubjFtPfUlJbPNNDwFy1c8DB0lvzPH6D73XLOf7zKh+SKBDbsGiNB0 mSt4AeD3se+dItwXNejiAA7s0nb3oyl9u8947LuHoJjwsjKP09HC55jRIPB56tVz PM7uFmjs9Ai9OFS7Tw8i17J7YUOWZ3HHS4nzlNVDzqFKxU+2QPiUOv8B2/FuwKGu 9fvUXjR9bMkKA1FNfTwntj627vGTuiK7pOMj68+U2c80CsUCsHqNjFCKIGIiawR9 htqaicADlf0ieOmREvOsL7QqJq/P5O2wOq3dsMYEfObCKqjy+/w=
    =/n6S
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)