CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
88.7%
Package : libjpeg-turbo
Version : 1:1.3.1-12+deb8u1
CVE ID : CVE-2016-3616 CVE-2018-1152 CVE-2018-11212 CVE-2018-11213
CVE-2018-11214
Debian Bug : #819969 #902950 #902176
Several vulnerabilities have been resolved in libjpeg-turbo, Debian's
default JPEG implemenation.
CVE-2016-3616
The cjpeg utility in libjpeg allowed remote attackers to cause a
denial of service (NULL pointer dereference and application crash) or
execute arbitrary code via a crafted file.
This issue got fixed by the same patch that fixed CVE-2018-11213 and
CVE-2018-11214.
CVE-2018-1152
libjpeg-turbo has been found vulnerable to a denial of service
vulnerability caused by a divide by zero when processing a crafted
BMP image. The issue has been resolved by a boundary check.
CVE-2018-11212
The alloc_sarray function in jmemmgr.c allowed remote attackers to
cause a denial of service (divide-by-zero error) via a crafted file.
The issue has been addressed by checking the image size when reading
a targa file and throwing an error when image width or height is 0.
CVE-2018-11213
CVE-2018-11214
The get_text_gray_row and get_text_rgb_row functions in rdppm.c both
allowed remote attackers to cause a denial of service (Segmentation
fault) via a crafted file.
By checking the range of integer values in PPM text files and adding
checks to ensure values are within the specified range, both issues
For Debian 8 "Jessie", these problems have been fixed in version
1:1.3.1-12+deb8u1.
We recommend that you upgrade your libjpeg-turbo packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
–
mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: [email protected], http://sunweavers.net
Attachment:
signature.asc
Description: PGP signature
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 8 | armhf | libjpeg62-turbo-dbg | < 1:1.3.1-12+deb8u1 | libjpeg62-turbo-dbg_1:1.3.1-12+deb8u1_armhf.deb |
Debian | 8 | all | libjpeg-turbo | < 1:1.3.1-12+deb8u1 | libjpeg-turbo_1:1.3.1-12+deb8u1_all.deb |
Debian | 8 | armel | libjpeg-turbo-progs-dbg | < 1:1.3.1-12+deb8u1 | libjpeg-turbo-progs-dbg_1:1.3.1-12+deb8u1_armel.deb |
Debian | 8 | all | libjpeg-dev | < 1:1.3.1-12+deb8u1 | libjpeg-dev_1:1.3.1-12+deb8u1_all.deb |
Debian | 8 | armel | libturbojpeg1-dev | < 1:1.3.1-12+deb8u1 | libturbojpeg1-dev_1:1.3.1-12+deb8u1_armel.deb |
Debian | 8 | amd64 | libjpeg-turbo-progs | < 1:1.3.1-12+deb8u1 | libjpeg-turbo-progs_1:1.3.1-12+deb8u1_amd64.deb |
Debian | 8 | i386 | libjpeg-turbo-progs | < 1:1.3.1-12+deb8u1 | libjpeg-turbo-progs_1:1.3.1-12+deb8u1_i386.deb |
Debian | 8 | amd64 | libjpeg62-turbo-dev | < 1:1.3.1-12+deb8u1 | libjpeg62-turbo-dev_1:1.3.1-12+deb8u1_amd64.deb |
Debian | 8 | i386 | libjpeg62-turbo-dev | < 1:1.3.1-12+deb8u1 | libjpeg62-turbo-dev_1:1.3.1-12+deb8u1_i386.deb |
Debian | 8 | amd64 | libjpeg62-turbo | < 1:1.3.1-12+deb8u1 | libjpeg62-turbo_1:1.3.1-12+deb8u1_amd64.deb |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
88.7%