Update libjpeg-turbo to libjpeg-turbo-2.0.1-0ubuntu2.2 to fix CVE-2018-20330 CVE-2018-19664 CVE-2019-2201 CVE-2018-14498 CVE-2018-1152 CVE-2017-15232 high remote

Tracked by Jolla (In release)

asked 2020-03-24 10:22:32 +0300

lpr gravatar image


  • SECURITY UPDATE: NULL pointer dereference via JPEG image

    • debian/patches/CVE-2017-15232-1.patch: exit gracefully with non-PPM formats in djpeg.1, djpeg.c.
    • debian/patches/CVE-2017-15232-2.patch: add further partial image decompression fixes in cdjpeg.h, djpeg.1, djpeg.c, jdapistd.c, wrbmp.c, wrgif.c, wrppm.c, wrppm.h, wrrle.c, wrtarga.c.
    • CVE-2017-15232
    • SECURITY UPDATE: division by zero via BMP image
    • debian/patches/CVE-2018-1152.patch: add size check in rdbmp.c.
    • CVE-2018-1152
  • SECURITY UPDATE: Denial of service

    • debian/patches/CVE-2018-14498.patch: Fix OOB read caused by malformed 8-bit BMP in cderror.h, rdbmp.c, rdppm.c.
    • CVE-2018-14498
    • SECURITY UPDATE: Several integer overflow and subsequent segfaults
    • debian/patches/CVE-2019-2201.patch: properly handled gigapixel images in java/TJBench.java, tjbench.c, turbojpeg.c.
    • CVE-2019-2201

    • SECURITY UPDATE: heap-based buffer over-read

    • debian/patches/CVE-2018-19664.patch: avoid quantization w/ non-RGB CS in wrbmp.c.
    • CVE-2018-19664
    • SECURITY UPDATE: heap-based buffer overflow
    • debian/patches/CVE-2018-20330.patch: fix int overflow and segfault w/ big BMP in turbojpeg.c
    • CVE-2018-20330
edit retag flag offensive close delete