Debian Long Term Support / LTS Security Information / 2019 / Security Information -- DLA-1638-1 libjpeg-turbo

Debian Security Advisory

DLA-1638-1 libjpeg-turbo -- LTS security update

Date Reported:

22 Jan 2019

Affected Packages:

libjpeg-turbo

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-3616, CVE-2018-1152, CVE-2018-11212, CVE-2018-11213, CVE-2018-11214.

More information:

Several vulnerabilities have been resolved in libjpeg-turbo, Debian's default JPEG implemenation.

• CVE-2016-3616

  The cjpeg utility in libjpeg allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.

  This issue got fixed by the same patch that fixed CVE-2018-11213 and CVE-2018-11214.

• CVE-2018-1152

  libjpeg-turbo has been found vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image. The issue has been resolved by a boundary check.

• CVE-2018-11212

  The alloc_sarray function in jmemmgr.c allowed remote attackers to cause a denial of service (divide-by-zero error) via a crafted file.

  The issue has been addressed by checking the image size when reading a targa file and throwing an error when image width or height is 0.

• CVE-2018-11213 / CVE-2018-11214

  The get_text_gray_row and get_text_rgb_row functions in rdppm.c both allowed remote attackers to cause a denial of service (Segmentation fault) via a crafted file.

  By checking the range of integer values in PPM text files and adding checks to ensure values are within the specified range, both issues

For Debian 8 Jessie, these problems have been fixed in version 1:1.3.1-12+deb8u1.

We recommend that you upgrade your libjpeg-turbo packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS