MidnightBSD

Advisories for libjpeg-turbo

CVE-2013-6629 MEDIUM

The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
artifex gpl_ghostscript *
fedoraproject fedora 18
mozilla thunderbird *
canonical ubuntu_linux 12.04
mozilla firefox_esr *
mozilla seamonkey *
libjpeg-turbo libjpeg-turbo *
canonical ubuntu_linux 10.04
mozilla firefox *
google chrome *
fedoraproject fedora 20
canonical ubuntu_linux 13.04
debian debian_linux 8.0
canonical ubuntu_linux 13.10
debian debian_linux 7.0
canonical ubuntu_linux 12.10
opensuse opensuse 12.2
opensuse opensuse 13.1
fedoraproject fedora 19
opensuse opensuse 12.3
oracle solaris 11.3
CVE-2014-9092 MEDIUM

libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial of service (crash) via a crafted JPEG file, related to the Exif marker.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
fedoraproject fedora 21
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
libjpeg-turbo libjpeg-turbo *
fedoraproject fedora 20
canonical ubuntu_linux 14.10
CVE-2016-3616 MEDIUM

The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 14.04
redhat enterprise_linux 7.4
canonical ubuntu_linux 18.10
libjpeg-turbo libjpeg-turbo 7.4
debian debian_linux 8.0
CVE-2017-15232 MEDIUM

libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
libjpeg-turbo libjpeg-turbo 1.5.2
CVE-2018-1152 MEDIUM

libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-369,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 17.10
libjpeg-turbo libjpeg-turbo 1.5.90
CVE-2018-14498 MEDIUM

get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
libjpeg-turbo libjpeg-turbo *
opensuse leap 15.0
mozilla mozjpeg *
fedoraproject fedora 28
debian debian_linux 8.0
CVE-2018-19664 MEDIUM

libjpeg-turbo 2.0.1 has a heap-based buffer over-read in the put_pixel_rows function in wrbmp.c, as demonstrated by djpeg.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
libjpeg-turbo libjpeg-turbo 2.0.1
CVE-2018-20330 MEDIUM

The tjLoadImage function in libjpeg-turbo 2.0.1 has an integer overflow with a resultant heap-based buffer overflow via a BMP image because multiplication of pitch and height is mishandled, as demonstrated by tjbench.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-787,

Products Affected

Vendor Product Version
libjpeg-turbo libjpeg-turbo 2.0.1
CVE-2019-13960 MEDIUM

In libjpeg-turbo 2.0.2, a large amount of memory can be used during processing of an invalid progressive JPEG image containing incorrect width and height values in the image header. NOTE: the vendor's expectation, for use cases in which this memory usage would be a denial of service, is that the application should interpret libjpeg warnings as fatal errors (aborting decompression) and/or set limits on resource consumption or image sizes

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
libjpeg-turbo libjpeg-turbo 2.0.2
CVE-2020-13790 MEDIUM

libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
libjpeg-turbo libjpeg-turbo 2.0.4
mozilla mozjpeg 4.0.0
CVE-2020-17541 MEDIUM

Libjpeg-turbo all version have a stack-based buffer overflow in the "transform" component. A remote attacker can send a malformed jpeg file to the service and cause arbitrary code execution or denial of service of the target service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
libjpeg-turbo libjpeg-turbo *
CVE-2020-35538

A crafted input file could cause a null pointer dereference in jcopy_sample_rows() when processed by libjpeg-turbo.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
libjpeg-turbo libjpeg-turbo 2.0.5
CVE-2021-20205 MEDIUM

Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-369,

Products Affected

Vendor Product Version
fedoraproject fedora 34
libjpeg-turbo libjpeg-turbo 2.0.90
CVE-2021-29390

libjpeg-turbo version 2.0.90 has a heap-based buffer over-read (2 bytes) in decompress_smooth_data in jdcoefct.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H 2.8 4.2

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 38
libjpeg-turbo libjpeg-turbo 2.0.90
fedoraproject fedora 39
CVE-2021-46822 MEDIUM

The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
libjpeg-turbo libjpeg-turbo *
CVE-2023-2804

A heap-based buffer overflow issue was discovered in libjpeg-turbo in h2v2_merged_upsample_internal() function of jdmrgext.c file. The vulnerability can only be exploited with 12-bit data precision for which the range of the sample data type exceeds the valid sample range, hence, an attacker could craft a 12-bit lossless JPEG image that contains out-of-range 12-bit samples. An application attempting to decompress such image using merged upsampling would lead to segmentation fault or buffer overflows, causing an application to crash.

Products Affected

Vendor Product Version
libjpeg-turbo libjpeg-turbo 2.1.90