CVE-2020-13790

Published: 03 June 2020

libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.

Priority

Medium

CVSS 3 base score: 8.1

Status

Package Release Status
libjpeg-turbo
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla)
Released (2.0.3-0ubuntu2)
Ubuntu 20.04 LTS (Focal Fossa)
Released (2.0.3-0ubuntu1.20.04.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1.5.2-0ubuntu5.18.04.4)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1.4.2-0ubuntu3.4)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.3.0-0ubuntu2.1+esm1)
Patches:
Upstream: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a