libjpeg-turbo: Information disclosure — GLSA 202010-03

An information disclosure vulnerability in libjpeg-turbo allow remote attackers to obtain sensitive information.

Affected packages

media-libs/libjpeg-turbo on all architectures
Affected versions < 2.0.4-r1
Unaffected versions >= 1.5.3-r3
>= 2.0.4-r1

Background

libjpeg-turbo is a MMX, SSE, and SSE2 SIMD accelerated JPEG library.

Description

It was discovered that libjpeg-turbo incorrectly handled certain PPM files.

Impact

A remote attacker could entice a user to open a specially crafted PPM file using an application linked against libjpeg-turbo, possibly allowing attacker to obtain sensitive information.

Workaround

There is no known workaround at this time.

Resolution

All libjpeg-turbo 1.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=media-libs/libjpeg-turbo-1.5.3-r3:0/0.1"
 

All libjpeg-turbo 2.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=media-libs/libjpeg-turbo-2.0.4-r1:0/0.2"
 

References

Release date
October 20, 2020

Latest revision
October 20, 2020: 1

Severity
low

Exploitable
local, remote

Bugzilla entries