SB2016060504 - Gentoo update for libjpeg-turbo 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2016060504

SB2016060504 - Gentoo update for libjpeg-turbo

Published: June 5, 2016 Updated: September 25, 2016

Security Bulletin ID SB2016060504
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2013-6629)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to an error in get_sos() function in jdmarker.c file within the libjpeg and libjpeg-turbo libraries when processing JPEG files. A remote attacker can create a specially crafeted JPEG file and read parts of unallocated memory on the system.

Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive information.


2) Input validation error (CVE-ID: CVE-2013-6630)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The get_dht function in jdmarker.c in libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48 and other products, does not set all elements of a certain Huffman value array during the reading of segments that follow Define Huffman Table (DHT) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.


Remediation

Install update from vendor's website.

References