[gentoo-announce] [ GLSA 201606-03 ] libjpeg-turbo: Multiple vulnerabilities - gentoo-announce

From:	Yury German <blueknight@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201606-03 ] libjpeg-turbo: Multiple vulnerabilities
Date:	Sun, 05 Jun 2016 20:05:57
Message-Id:	`cfd92565-b50b-1b70-75d3-1d71c1f06a32@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201606-03

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: libjpeg-turbo: Multiple vulnerabilities

9

     Date: June 05, 2016

10

     Bugs: #491150, #531418

11

       ID: 201606-03

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Two vulnerabilities have been discovered in libjpeg-turbo, the worse of

19

which could allow remote attackers access to  sensitive information.

20

21

Background

22

==========

23

24

libjpeg-turbo is a MMX, SSE, and SSE2 SIMD accelerated JPEG library

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  media-libs/libjpeg-turbo

33

                                  < 1.4.2                    >= 1.4.2

34

35

Description

36

===========

37

38

libjpeg-turbo does not check for certain duplications of component data

39

during the reading of segments that follow Start Of Scan (SOS) JPEG

40

markers.

41

42

Impact

43

======

44

45

Remote attackers could obtain sensitive information from uninitialized

46

memory locations via a crafted JPEG images.

47

48

Workaround

49

==========

50

51

There is no known workaround at this time.

52

53

Resolution

54

==========

55

56

All libjpeg-turbo users should upgrade to the latest version:

57

58

  # emerge --sync

59

  # emerge --ask --oneshot --verbose ">=media-libs/libjpeg-turbo-1.4.2"

60

61

References

62

==========

63

64

[ 1 ] CVE-2013-6629

65

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6629

66

[ 2 ] CVE-2013-6630

67

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6630

68

69

Availability

70

============

71

72

This GLSA and any updates to it are available for viewing at

73

the Gentoo Security Website:

74

75

 https://security.gentoo.org/glsa/201606-03

76

77

Concerns?

78

=========

79

80

Security is a primary focus of Gentoo Linux and ensuring the

81

confidentiality and security of our users' machines is of utmost

82

importance to us. Any security concerns should be addressed to

83

security@g.o or alternatively, you may file a bug at

84

https://bugs.gentoo.org.

85

86

License

87

=======

88

89

Copyright 2016 Gentoo Foundation, Inc; referenced text

90

belongs to its owner(s).

91

92

The contents of this document are licensed under the

93

Creative Commons - Attribution / Share Alike license.

94

95

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201606-03
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: libjpeg-turbo: Multiple vulnerabilities
9	Date: June 05, 2016
10	Bugs: #491150, #531418
11	ID: 201606-03
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Two vulnerabilities have been discovered in libjpeg-turbo, the worse of
19	which could allow remote attackers access to sensitive information.
20
21	Background
22	==========
23
24	libjpeg-turbo is a MMX, SSE, and SSE2 SIMD accelerated JPEG library
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 media-libs/libjpeg-turbo
33	< 1.4.2 >= 1.4.2
34
35	Description
36	===========
37
38	libjpeg-turbo does not check for certain duplications of component data
39	during the reading of segments that follow Start Of Scan (SOS) JPEG
40	markers.
41
42	Impact
43	======
44
45	Remote attackers could obtain sensitive information from uninitialized
46	memory locations via a crafted JPEG images.
47
48	Workaround
49	==========
50
51	There is no known workaround at this time.
52
53	Resolution
54	==========
55
56	All libjpeg-turbo users should upgrade to the latest version:
57
58	# emerge --sync
59	# emerge --ask --oneshot --verbose ">=media-libs/libjpeg-turbo-1.4.2"
60
61	References
62	==========
63
64	[ 1 ] CVE-2013-6629
65	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6629
66	[ 2 ] CVE-2013-6630
67	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6630
68
69	Availability
70	============
71
72	This GLSA and any updates to it are available for viewing at
73	the Gentoo Security Website:
74
75	https://security.gentoo.org/glsa/201606-03
76
77	Concerns?
78	=========
79
80	Security is a primary focus of Gentoo Linux and ensuring the
81	confidentiality and security of our users' machines is of utmost
82	importance to us. Any security concerns should be addressed to
83	security@g.o or alternatively, you may file a bug at
84	https://bugs.gentoo.org.
85
86	License
87	=======
88
89	Copyright 2016 Gentoo Foundation, Inc; referenced text
90	belongs to its owner(s).
91
92	The contents of this document are licensed under the
93	Creative Commons - Attribution / Share Alike license.
94
95	http://creativecommons.org/licenses/by-sa/2.5