[SECURITY] [DLA 2302-1] libjpeg-turbo security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2302-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/
July 31, 2020 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libjpeg-turbo
Version : 1:1.5.1-2+deb9u1
CVE ID : CVE-2018-1152 CVE-2018-14498 CVE-2020-13790 CVE-2020-14152
Debian Bug : 902950 924678 962829
Several vulnerabilities were fixed in libjpeg-turbo,
a widely used library for handling JPEG files.
CVE-2018-1152
Denial of service vulnerability caused by a divide by zero when
processing a crafted BMP image in TJBench.
CVE-2018-14498
Denial of service (heap-based buffer over-read and application
crash) via a crafted 8-bit BMP in which one or more of the color
indices is out of range for the number of palette entries.
CVE-2020-13790
Heap-based buffer over-read via a malformed PPM input file.
CVE-2020-14152
jpeg_mem_available() did not honor the max_memory_to_use setting,
possibly causing excessive memory consumption.
For Debian 9 stretch, these problems have been fixed in version
1:1.5.1-2+deb9u1.
We recommend that you upgrade your libjpeg-turbo packages.
For the detailed security status of libjpeg-turbo please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libjpeg-turbo
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl8kYtUACgkQiNJCh6LY
mLEI4A//ZSRkBmcgBfAISfFItnREpK4GLA/wfEza8IYh0AT1N5hRmOdEwwR0noCB
VLAlLXTo9DM05rlJxI/EkqK5MthFqg25CQhgz9mGpJANrgmvFbwNvNxx9Iw6IsHs
V46uKPf62GFeCjsCcXvNjR2x8Q5oRrf0xCZrO/cVCdvS/8sNKCF+8GscXKJCQxzY
adWYAgTGJh+UuMJksgINP0aIbVv2kmQR58FhjUgJiNfxg15Vhkzzwf6M15B6yUx8
idNqNDSUcg29V7QTOiFd9Fg/JSfRGAzgflvcZK7/qVIhxdWsn9ZDRFwnTkHo5cO3
G+tExD1q7QGsk8Udz0Da8U2N+D/Qywc++iRTaI7omFVZer1tBwc6il7Vi1STKi0L
xPmsjwdKux6So+wgSn6at/GafIXcLFqkCCP9+wGR9hcIRoWiHGTfA7jxcuWyv6Lq
s5Mcp7kMsjAijvu7VSoU+Ur7lI0E3/PnjjiF7AX6GWVshG0zCZWQI/Ziy31h5piY
bDoqsT5RDs8+F1WgmCBsbaFcqDQKHng2lb+z3eTgcYuyFYsuco0y/0CTyjRg3Yi/
iTQi8PRIyQotW/bcohO5xY37zC2qfLeNXFY3Csdr7VliVZo0eMB3sVJnHMO1Pqob
CB0cUCQDiJ8TTVaGfM9rhqlozgSbMXOLzfjXhjtzwO2Pm6VlOOo=
=JzVH
-----END PGP SIGNATURE-----
Reply to: