Debian Security Advisory

DLA-1638-1 libjpeg-turbo -- LTS security update

Date Reported:
22 Jan 2019
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2016-3616, CVE-2018-1152, CVE-2018-11212, CVE-2018-11213, CVE-2018-11214.
More information:

Several vulnerabilities have been resolved in libjpeg-turbo, Debian's default JPEG implemenation.

  • CVE-2016-3616

    The cjpeg utility in libjpeg allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.

    This issue got fixed by the same patch that fixed CVE-2018-11213 and CVE-2018-11214.

  • CVE-2018-1152

    libjpeg-turbo has been found vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image. The issue has been resolved by a boundary check.

  • CVE-2018-11212

    The alloc_sarray function in jmemmgr.c allowed remote attackers to cause a denial of service (divide-by-zero error) via a crafted file.

    The issue has been addressed by checking the image size when reading a targa file and throwing an error when image width or height is 0.

  • CVE-2018-11213 / CVE-2018-11214

    The get_text_gray_row and get_text_rgb_row functions in rdppm.c both allowed remote attackers to cause a denial of service (Segmentation fault) via a crafted file.

    By checking the range of integer values in PPM text files and adding checks to ensure values are within the specified range, both issues

For Debian 8 Jessie, these problems have been fixed in version 1:1.3.1-12+deb8u1.

We recommend that you upgrade your libjpeg-turbo packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: