Your message dated Mon, 13 Oct 2025 07:28:22 +0200
with message-id <[email protected]>
and subject line Re: Bug#869927: libjpeg-turbo: CVE-2017-9614: invalid memory
access in the fill_input_buffer function
has caused the Debian Bug report #869927,
regarding libjpeg-turbo: CVE-2017-9614: invalid memory access in the
fill_input_buffer function
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
869927: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869927
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libjpeg-turbo
Version: 1:1.3.1-12
Severity: important
Tags: upstream security
Hi,
the following vulnerability was published for libjpeg-turbo.
CVE-2017-9614[0]:
| The fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1
| allows remote attackers to cause a denial of service (invalid memory
| access and application crash) or possibly have unspecified other impact
| via a crafted jpg file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9614
[1] http://seclists.org/fulldisclosure/2017/Jul/66
Please adjust the affected versions in the BTS as needed.
Could you please as well check this if it's preported upstream?
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Hi Mike,
On Fri, Oct 03, 2025 at 11:20:50PM +0200, Mike Gabriel wrote:
> Hi Salvatore,
>
> Am Thu, Jul 27, 2017 at 07:03:18PM +0200, schrieb Salvatore Bonaccorso:
> > Source: libjpeg-turbo
> > Version: 1:1.3.1-12
> > Severity: important
> > Tags: upstream security
> >
> > Hi,
> >
> > the following vulnerability was published for libjpeg-turbo.
> >
> > CVE-2017-9614[0]:
> > | The fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1
> > | allows remote attackers to cause a denial of service (invalid memory
> > | access and application crash) or possibly have unspecified other impact
> > | via a crafted jpg file.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2017-9614
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9614
> > [1] http://seclists.org/fulldisclosure/2017/Jul/66
> >
> > Please adjust the affected versions in the BTS as needed.
> >
> > Could you please as well check this if it's preported upstream?
> >
> > Regards,
> > Salvatore
> >
>
> Can we close this bug for libjpeg-turbo? According to the upstream issue
> [1] this is not caused by libjpeg-turbo.
>
> [1] https://github.com/libjpeg-turbo/libjpeg-turbo/issues/167
Let's do so. We have noted in the security-tracker as well that this
not an issue but an incorrect usage of API.
Regards,
Salvatore
--- End Message ---
