[SECURITY] [DLA 2302-1] libjpeg-turbo security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2302-1] libjpeg-turbo security update
From: Adrian Bunk <bunk@debian.org>
Date: Fri, 31 Jul 2020 21:28:37 +0300
Message-id: <[🔎] 20200731182837.GA2366@localhost>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2302-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                                     
July 31, 2020                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libjpeg-turbo
Version        : 1:1.5.1-2+deb9u1
CVE ID         : CVE-2018-1152 CVE-2018-14498 CVE-2020-13790 CVE-2020-14152
Debian Bug     : 902950 924678 962829

Several vulnerabilities were fixed in libjpeg-turbo,
a widely used library for handling JPEG files.

CVE-2018-1152

    Denial of service vulnerability caused by a divide by zero when 
    processing a crafted BMP image in TJBench.

CVE-2018-14498

    Denial of service (heap-based buffer over-read and application 
    crash) via a crafted 8-bit BMP in which one or more of the color 
    indices is out of range for the number of palette entries.

CVE-2020-13790

    Heap-based buffer over-read via a malformed PPM input file.

CVE-2020-14152

    jpeg_mem_available() did not honor the max_memory_to_use setting, 
    possibly causing excessive memory consumption.

For Debian 9 stretch, these problems have been fixed in version
1:1.5.1-2+deb9u1.

We recommend that you upgrade your libjpeg-turbo packages.

For the detailed security status of libjpeg-turbo please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libjpeg-turbo

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl8kYtUACgkQiNJCh6LY
mLEI4A//ZSRkBmcgBfAISfFItnREpK4GLA/wfEza8IYh0AT1N5hRmOdEwwR0noCB
VLAlLXTo9DM05rlJxI/EkqK5MthFqg25CQhgz9mGpJANrgmvFbwNvNxx9Iw6IsHs
V46uKPf62GFeCjsCcXvNjR2x8Q5oRrf0xCZrO/cVCdvS/8sNKCF+8GscXKJCQxzY
adWYAgTGJh+UuMJksgINP0aIbVv2kmQR58FhjUgJiNfxg15Vhkzzwf6M15B6yUx8
idNqNDSUcg29V7QTOiFd9Fg/JSfRGAzgflvcZK7/qVIhxdWsn9ZDRFwnTkHo5cO3
G+tExD1q7QGsk8Udz0Da8U2N+D/Qywc++iRTaI7omFVZer1tBwc6il7Vi1STKi0L
xPmsjwdKux6So+wgSn6at/GafIXcLFqkCCP9+wGR9hcIRoWiHGTfA7jxcuWyv6Lq
s5Mcp7kMsjAijvu7VSoU+Ur7lI0E3/PnjjiF7AX6GWVshG0zCZWQI/Ziy31h5piY
bDoqsT5RDs8+F1WgmCBsbaFcqDQKHng2lb+z3eTgcYuyFYsuco0y/0CTyjRg3Yi/
iTQi8PRIyQotW/bcohO5xY37zC2qfLeNXFY3Csdr7VliVZo0eMB3sVJnHMO1Pqob
CB0cUCQDiJ8TTVaGfM9rhqlozgSbMXOLzfjXhjtzwO2Pm6VlOOo=
=JzVH
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2293-1] mercurial security update
Next by Date: [SECURITY] [DLA 2303-1] libssh security update
Previous by thread: [SECURITY] [DLA 2293-1] mercurial security update
Next by thread: [SECURITY] [DLA 2303-1] libssh security update
Index(es):
- Date
- Thread