-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2302-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ July 31, 2020 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : libjpeg-turbo Version : 1:1.5.1-2+deb9u1 CVE ID : CVE-2018-1152 CVE-2018-14498 CVE-2020-13790 CVE-2020-14152 Debian Bug : 902950 924678 962829 Several vulnerabilities were fixed in libjpeg-turbo, a widely used library for handling JPEG files. CVE-2018-1152 Denial of service vulnerability caused by a divide by zero when processing a crafted BMP image in TJBench. CVE-2018-14498 Denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries. CVE-2020-13790 Heap-based buffer over-read via a malformed PPM input file. CVE-2020-14152 jpeg_mem_available() did not honor the max_memory_to_use setting, possibly causing excessive memory consumption. For Debian 9 stretch, these problems have been fixed in version 1:1.5.1-2+deb9u1. We recommend that you upgrade your libjpeg-turbo packages. For the detailed security status of libjpeg-turbo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libjpeg-turbo Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl8kYtUACgkQiNJCh6LY mLEI4A//ZSRkBmcgBfAISfFItnREpK4GLA/wfEza8IYh0AT1N5hRmOdEwwR0noCB VLAlLXTo9DM05rlJxI/EkqK5MthFqg25CQhgz9mGpJANrgmvFbwNvNxx9Iw6IsHs V46uKPf62GFeCjsCcXvNjR2x8Q5oRrf0xCZrO/cVCdvS/8sNKCF+8GscXKJCQxzY adWYAgTGJh+UuMJksgINP0aIbVv2kmQR58FhjUgJiNfxg15Vhkzzwf6M15B6yUx8 idNqNDSUcg29V7QTOiFd9Fg/JSfRGAzgflvcZK7/qVIhxdWsn9ZDRFwnTkHo5cO3 G+tExD1q7QGsk8Udz0Da8U2N+D/Qywc++iRTaI7omFVZer1tBwc6il7Vi1STKi0L xPmsjwdKux6So+wgSn6at/GafIXcLFqkCCP9+wGR9hcIRoWiHGTfA7jxcuWyv6Lq s5Mcp7kMsjAijvu7VSoU+Ur7lI0E3/PnjjiF7AX6GWVshG0zCZWQI/Ziy31h5piY bDoqsT5RDs8+F1WgmCBsbaFcqDQKHng2lb+z3eTgcYuyFYsuco0y/0CTyjRg3Yi/ iTQi8PRIyQotW/bcohO5xY37zC2qfLeNXFY3Csdr7VliVZo0eMB3sVJnHMO1Pqob CB0cUCQDiJ8TTVaGfM9rhqlozgSbMXOLzfjXhjtzwO2Pm6VlOOo= =JzVH -----END PGP SIGNATURE-----