|
|
Flash leak of uninitialized data whilst rendering JPEGs | ||||
| Reported by cevans@google.com, Jul 8 2014 | Back to list | ||||
This is probably another instance of CVE-2013-6629, reference: http://seclists.org/fulldisclosure/2013/Nov/83 A SWF to reproduce is attached, along with source. To reproduce, host JPEGLeak.swf on the same web server / directory as 55.jpg. Since this is uninitialized data, you can reload the SWF and see the rendered JPEG change either slightly or sometimes dramatically. It seems to work best with a Flash process that is not fresh. A couple of screenshots are attached to illustrate that the rendered images can sometimes differ significantly. The SWF file also demonstrates that the uninitialized data can be leaked to script, which makes the issue interesting / more serious. If this is indeed the same underlying issue as CVE-2013-6629, then this patch may be useful: http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libjpeg/jdmarker.c?r1=228354&r2=228353&pathrev=228354
Comment 1
by
cevans@google.com,
Jul 8 2014
,
Aug 21 2014
Oh! This is not fixed in the latest Flash update: http://helpx.adobe.com/security/products/flash-player/apsb14-18.html
,
Sep 5 2014
,
Sep 9 2014
http://helpx.adobe.com/security/products/flash-player/apsb14-21.html Will derestrict in a week or so, etc.
,
Sep 23 2014
Making public. |
|||||
| ► Sign in to add a comment | |||||
