CVE-2020-14152

Published: 15 June 2020

In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption.

Priority

Low

CVSS 3 base score: 7.1

Status

Package Release Status
libjpeg-turbo
Launchpad, Ubuntu, Debian
Upstream
Released (1:1.5.1-2+deb9u1, 1:1.5.2-2+den10u1)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(2.0.3-0ubuntu2)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2.0.3-0ubuntu2)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.0.3-0ubuntu1.20.04.1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.5.2-0ubuntu5.18.04.4)
Ubuntu 16.04 ESM (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/da2a27ef056a0179cbd80f9146e58b89403d9933
libjpeg6b
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.10 (Impish Indri) Needed

Ubuntu 21.04 (Hirsute Hippo) Needed

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

libjpeg9
Launchpad, Ubuntu, Debian
Upstream
Released (9d)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(1:9d-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(1:9d-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1:9d-1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist