Multiple Vulnerabilities in jpeg-xl
===================================
CVE: CVE-2021-27804
Highest Severity Rating: High
Confirmed Affected Versions: jpeg-xl v0.3.1 and earlier
Vendor: Joint Photographic Experts Group (JPEG)
Vendor URL: https://gitlab.com/wg1/jpeg-xl


Summary and Impact
------------------
jpeg-xl is the reference implementation by the Joint Photographic
Experts Group (JPEG) of the new JPEG XL standard.
Multiple memory corruption vulnerabilities were found and reported in
the last 3 months. The security issues were responsively reported to
the vendor and were fixed in subsequent version, however silently.

The changelog does not reflect security issues being fixed:

jpeg-xl (0.3.2) urgency=medium

  * Bump JPEG XL version to 0.3.2.
  * Fix embedded ICC encoding regression #149.

 -- Fri, 12 Feb 2021 21:00:12 +0100

jpeg-xl (0.3.1) urgency=medium

  * Bump JPEG XL version to 0.3.1.

 -- Tue, 09 Feb 2021 09:48:43 +0100

jpeg-xl (0.3) urgency=medium

  * Bump JPEG XL version to 0.3.

 -- Wed, 27 Jan 2021 22:36:32 +0100

All the while it is already being available e.g. in Arch Linux
(https://aur.archlinux.org/packages/libjpeg-xl-git/) and FreeBSD
(https://pkgs.org/download/jpeg-xl) and is currently in the process of
being added to Debian and therefore to Ubuntu and Kali Linux.

Hence the need to sit down and write a boring advisory to publish on a
mailing list instead of doing something more interesting :(

For anyone interested, the memory corruptions were discovered by using
the AFL++ fuzzer (https://github.com/AFLplusplus/AFLplusplus) for just a
few hours for testing purposes. The current v0.3.2 release of jpeg-xl
also produces writeable memory corruptions when fuzzing for a very short
time (with a good starting corpus that is).


Recommendation
--------------
The vendor should establish a proper notification on fixed security
issues in the changelog and not put the Internet at risk.


-- 
Marc Heuse
www.mh-sec.de

PGP: AF3D 1D4C D810 F0BB 977D  3807 C7EE D0A0 6BE9 F573