CVE-2020-14152

Published: 15 June 2020

In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption.

Notes

Author	Note
mdeslaur	looks like this was fixed a long time ago in libjpeg-turbo

Priority

CVSS 3 base score: 7.1

Status

Package	Release	Status
libjpeg-turbo Launchpad, Ubuntu, Debian	bionic	Not vulnerable (1.5.2-0ubuntu5.18.04.4)
	eoan	Not vulnerable (2.0.3-0ubuntu1.19.10.1)
	focal	Not vulnerable (2.0.3-0ubuntu1.20.04.1)
	groovy	Not vulnerable (2.0.3-0ubuntu2)
	hirsute	Not vulnerable (2.0.3-0ubuntu2)
	impish	Not vulnerable (2.0.3-0ubuntu2)
	jammy	Not vulnerable (2.0.3-0ubuntu2)
	kinetic	Not vulnerable (2.0.3-0ubuntu2)
	precise	Ignored (end of ESM support, was needs-triage)
	trusty	Released (1.3.0-0ubuntu2.1+esm2)
	upstream	Released (1:1.5.1-2+deb9u1, 1:1.5.2-2+den10u1)
	xenial	Released (1.4.2-0ubuntu3.4+esm1)
	Patches: upstream: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/da2a27ef056a0179cbd80f9146e58b89403d9933
libjpeg6b Launchpad, Ubuntu, Debian	bionic	Needed
	eoan	Ignored (reached end-of-life)
	focal	Needed
	groovy	Ignored (reached end-of-life)
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needed
	kinetic	Needed
	precise	Does not exist
	trusty	Released (6b1-4ubuntu1+esm1)
	upstream	Needed
	xenial	Ignored (end of standard support, was needed)
libjpeg9 Launchpad, Ubuntu, Debian	bionic	Needed
	eoan	Ignored (reached end-of-life)
	focal	Not vulnerable (1:9d-1)
	groovy	Not vulnerable (1:9d-1)
	hirsute	Not vulnerable (1:9d-1)
	impish	Not vulnerable (1:9d-1)
	jammy	Not vulnerable (1:9d-1)
	kinetic	Not vulnerable (1:9d-1)
	precise	Does not exist
	trusty	Does not exist
	upstream	Released (9d)
	xenial	Ignored (end of standard support, was needed)

References

Bugs

https://bugs.gentoo.org/727908

Security

CVE-2020-14152

Notes

Low

Status

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Further reading