Lucene search

CentOS ProjectCESA-2019:2052

HistoryAug 30, 2019 - 3:16 a.m.

libjpeg, turbojpeg security update

2019-08-3003:16:23

CentOS Project

lists.centos.org

184

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.017 Low

EPSS

Percentile

87.5%

JSON

CentOS Errata and Security Advisory CESA-2019:2052

The libjpeg-turbo packages contain a library of functions for manipulating JPEG images. They also contain simple client programs for accessing the libjpeg functions. These packages provide the same functionality and API as libjpeg but with better performance.

Security Fix(es):

libjpeg: null pointer dereference in cjpeg (CVE-2016-3616)
libjpeg-turbo: heap-based buffer over-read via crafted 8-bit BMP in get_8bit_row in rdbmp.c leads to denial of service (CVE-2018-14498)
libjpeg-turbo: Divide By Zero in alloc_sarray function in jmemmgr.c (CVE-2018-11212)
libjpeg: Segmentation fault in get_text_gray_row function in rdppm.c (CVE-2018-11213)
libjpeg: Segmentation fault in get_text_rgb_row function in rdppm.c (CVE-2018-11214)
libjpeg: “cjpeg” utility large loop because read_pixel in rdtarga.c mishandles EOF (CVE-2018-11813)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-cr-announce/2019-August/032221.html

Affected packages:
libjpeg-turbo
libjpeg-turbo-devel
libjpeg-turbo-static
libjpeg-turbo-utils
turbojpeg
turbojpeg-devel

Upstream details at:
https://access.redhat.com/errata/RHSA-2019:2052

OSVersionArchitecturePackageVersionFilename
CentOS7i686libjpeg-turbo< 1.2.90-8.el7libjpeg-turbo-1.2.90-8.el7.i686.rpm
CentOS7x86_64libjpeg-turbo< 1.2.90-8.el7libjpeg-turbo-1.2.90-8.el7.x86_64.rpm
CentOS7i686libjpeg-turbo-devel< 1.2.90-8.el7libjpeg-turbo-devel-1.2.90-8.el7.i686.rpm
CentOS7x86_64libjpeg-turbo-devel< 1.2.90-8.el7libjpeg-turbo-devel-1.2.90-8.el7.x86_64.rpm
CentOS7i686libjpeg-turbo-static< 1.2.90-8.el7libjpeg-turbo-static-1.2.90-8.el7.i686.rpm
CentOS7x86_64libjpeg-turbo-static< 1.2.90-8.el7libjpeg-turbo-static-1.2.90-8.el7.x86_64.rpm
CentOS7x86_64libjpeg-turbo-utils< 1.2.90-8.el7libjpeg-turbo-utils-1.2.90-8.el7.x86_64.rpm
CentOS7i686turbojpeg< 1.2.90-8.el7turbojpeg-1.2.90-8.el7.i686.rpm
CentOS7x86_64turbojpeg< 1.2.90-8.el7turbojpeg-1.2.90-8.el7.x86_64.rpm
CentOS7i686turbojpeg-devel< 1.2.90-8.el7turbojpeg-devel-1.2.90-8.el7.i686.rpm

OS	Version	Architecture	Package	Version	Filename
CentOS	7	i686	libjpeg-turbo	< 1.2.90-8.el7	libjpeg-turbo-1.2.90-8.el7.i686.rpm
CentOS	7	x86_64	libjpeg-turbo	< 1.2.90-8.el7	libjpeg-turbo-1.2.90-8.el7.x86_64.rpm
CentOS	7	i686	libjpeg-turbo-devel	< 1.2.90-8.el7	libjpeg-turbo-devel-1.2.90-8.el7.i686.rpm
CentOS	7	x86_64	libjpeg-turbo-devel	< 1.2.90-8.el7	libjpeg-turbo-devel-1.2.90-8.el7.x86_64.rpm
CentOS	7	i686	libjpeg-turbo-static	< 1.2.90-8.el7	libjpeg-turbo-static-1.2.90-8.el7.i686.rpm
CentOS	7	x86_64	libjpeg-turbo-static	< 1.2.90-8.el7	libjpeg-turbo-static-1.2.90-8.el7.x86_64.rpm
CentOS	7	x86_64	libjpeg-turbo-utils	< 1.2.90-8.el7	libjpeg-turbo-utils-1.2.90-8.el7.x86_64.rpm
CentOS	7	i686	turbojpeg	< 1.2.90-8.el7	turbojpeg-1.2.90-8.el7.i686.rpm
CentOS	7	x86_64	turbojpeg	< 1.2.90-8.el7	turbojpeg-1.2.90-8.el7.x86_64.rpm
CentOS	7	i686	turbojpeg-devel	< 1.2.90-8.el7	turbojpeg-devel-1.2.90-8.el7.i686.rpm