CVE-2023-2804。libjpeg-turbo

[aLittleGreens]

There is a security vulnerability in libjpeg-turbo, which originates from the heap buffer overflow at /libjpeg-turbo/jdmrext.c:126 in h2v2_merged_upsample_internal().

[softavail]

I run into the same issue.
Bellow are the vulnerability details
https://www.cvedetails.com/cve/CVE-2023-2804

It is not very clear which version of libjpeg-turbo fixes this issue, but I guess it is 2.1.90

Bellow is a link with the fix
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9f756bc67a84d4566bf74a0c2432aa55da404021

Latest fresco v3.4.0 depends on libjpeg-turbo 2.1.5.1
I suppose the fix is to make fresco library to depend from libjpeg-turbo where this vulnerability is fixed

Thank you!

[snijsure]

I have scratch PR that where I attempted to update Fresco to libjpeg-turbo to 2.1.91

Is the process to bump libjpeg-turbo documented somewhere?

yasm: FATAL: unable to open include file `jsimdext.inc'
make: *** [.../Library/Android/sdk/ndk/26.1.10909125/build/core/build-binary.mk:419: .../work/samples/fresco-fork/fresco/native-imagetranscoder/build/tmp/ndk_build_native-imagetranscoder/local/x86/objs/fb_jpegturbo/simd/i386/jcsample-sse2.o] Error 1

Somehow when compiling SIMD code for i386 yasm is not able to find include files.

@oprisnik @alanleedev is there someone specific I need to tag?