fresco CVE-2018-14498 from libjpeg-turbo

Description

The latest version of Fresco uses libjpeg-turbo and specifies version 1.5.3 here. This version of libjpeg-turbo is vulnerable to CVE-2018-14498.

Reproduction

I have no example of how the vulnerability may be exploited in the context of this project.

Solution

Upgrade libjpeg-turbo to a higher version which is not associated with any CVE. The minimum version which resolves CVE-2018-14498 is 2.0.0. You may wish to go higher, but be aware that some higher versions may have their own CVE. For example, you should not upgrade to version 2.0.1 as this version has CVE-2018-20330.

Additional Information

Fresco version: 3.0.0
Because libjpeg-turbo is a C library and Java build tools cannot report vulnerable C libraries, do not expect a dependency scan to reveal vulnerabilities associated with the library.

May 13 '23 22:05 bdeweygit

@oprisnik can you take a look at this one?

May 15 '23 10:05 cortinico

Does anyone have any rough timescales on this one? We've failed a pen test due to this vulnerability and are on a really tight timescale to get it retested and passed before we can start a new contract

Thanks!

May 18 '23 12:05 pyoung458

Bump

Jun 06 '23 19:06 Skizu

Same here

Jul 20 '23 19:07 jonathanm-tkf

Yep, trying to close some CVE's on our app. Ideally bump libjpeg-turbo to ^3.0.0

Sep 18 '23 18:09 dcjack

Also trying to close some CVEs. Any updates on this?

Sep 27 '23 16:09 gbower30

We have this on a pen test report too.

Nov 22 '23 15:11 dwxw

We have this on a pen test report too. Any updates on this?

Dec 11 '23 04:12 turabek

Here also with the issue reported on a pen test

Dec 13 '23 17:12 enriqueviard

any updates on this?

Feb 01 '24 15:02 mgalante

Any updates on this? It's been years since this vulnerability was reported.

Feb 09 '24 20:02 try-catch-stack

Google app services still reports this as a vulnerability when trying to upload an application created with react-native due to the usage of this library. Is there any update?

Mar 21 '24 22:03 kbar163

What's the risk of having this unpatched?

Mar 26 '24 16:03 drstevenbrule

@drstevenbrule the risk is a heap-based buffer over-read and application crash when libjpeg-turbo compresses certain specially-crafted 8-bit BMP files during conversion to JPEG. See NVD detail and this libjpeg-turbo commit. A good victim would be a social media application that shares user uploaded bitmap images which it converts to JPEG at display time. An attacker seeking denial of service could upload a malicious bitmap image and any user who would view that image will experience an application crash from the resulting out-of-bounds memory read during conversion.

Mar 26 '24 18:03 bdeweygit

@cortinico if Fresco never under any circumstance uses libjpeg-turbo to manipulate BMP files, then this CVE cannot be exploited. Browsing the source code I don't think it ever does, but maybe a core contributor can confirm? An example of using it to instigate the crash is here with some appropriate BMP files available here.

Mar 26 '24 20:03 bdeweygit

@cortinico @oprisnik would you take a look at https://github.com/facebook/fresco/pull/2768.

Apr 18 '24 13:04 mnt

@mnt @cortinico @oprisnik Any update here? This vulnerability has been sitting for some time. Thanks!

May 03 '24 18:05 royjayperryman

We are planning to fix this by merging #2768.

May 29 '24 10:05 steelrooter

@steelrooter when can we take a release cut to upgrade Fresco on react-native?

May 29 '24 11:05 mnt

Closing as this was fixed in Fresco 3.2.0

Jun 04 '24 17:06 cortinico

fresco fresco copied to clipboard

CVE-2018-14498 from libjpeg-turbo

Description

Reproduction

Solution

Additional Information

fresco
fresco copied to clipboard