libjpeg-turbo: Multiple vulnerabilities — GLSA 201606-03

Two vulnerabilities have been discovered in libjpeg-turbo, the worse of which could allow remote attackers access to sensitive information.

Affected packages

media-libs/libjpeg-turbo on all architectures
Affected versions < 1.4.2
Unaffected versions >= 1.4.2

Background

libjpeg-turbo is a MMX, SSE, and SSE2 SIMD accelerated JPEG library

Description

libjpeg-turbo does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers.

Impact

Remote attackers could obtain sensitive information from uninitialized memory locations via a crafted JPEG images.

Workaround

There is no known workaround at this time.

Resolution

All libjpeg-turbo users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-libs/libjpeg-turbo-1.4.2"
 

References

Release date
June 05, 2016

Latest revision
June 05, 2016: 2

Severity
normal

Exploitable
remote

Bugzilla entries