CVE-2020-14153

Published: 15 June 2020

In IJG JPEG (aka libjpeg) from version 8 through 9c, jdhuff.c has an out-of-bounds array read for certain table pointers.

Notes

Author	Note
mdeslaur	patch in libjpeg9 9d appears to be: - entropy->ac_cur_tbls[blkn] = entropy->ac_derived_tbls[compptr->ac_tbl_no]; + entropy->ac_cur_tbls[blkn] = /* AC needs no table when not present */ + cinfo->lim_Se ? entropy->ac_derived_tbls[compptr->ac_tbl_no] : NULL; per upstream libjpeg-turbo bug, libjpeg-turbo is not vulnerable to this issue
ccdm94	due to the same reasoning provided by the libjpeg-turbo upstream in issue https://github.com/libjpeg-turbo/libjpeg-turbo/issues/445, it is safe to assume that libjpeg6b is also not vulnerable to this.

Author

Note

mdeslaur

patch in libjpeg9 9d appears to be:
-      entropy->ac_cur_tbls[blkn] = entropy->ac_derived_tbls[compptr->ac_tbl_no];
+      entropy->ac_cur_tbls[blkn] =	/* AC needs no table when not present */
+	cinfo->lim_Se ? entropy->ac_derived_tbls[compptr->ac_tbl_no] : NULL;

per upstream libjpeg-turbo bug, libjpeg-turbo is not vulnerable
to this issue

ccdm94

due to the same reasoning provided by the libjpeg-turbo upstream in issue
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/445, it is safe to
assume that libjpeg6b is also not vulnerable to this.

Priority

Cvss 3 Severity Score

7.1

Score breakdown

Status

Package	Release	Status
libjpeg6b Launchpad, Ubuntu, Debian	trusty	Not vulnerable
	impish	Not vulnerable
	hirsute	Ignored (end of life)
	bionic	Not vulnerable
	focal	Not vulnerable
	xenial	Needed
	jammy	Not vulnerable
	upstream	Not vulnerable
	lunar	Not vulnerable
	eoan	Ignored (end of life)
	groovy	Ignored (end of life)
	kinetic	Not vulnerable
libjpeg-turbo Launchpad, Ubuntu, Debian	impish	Not vulnerable
	groovy	Not vulnerable
	upstream	Not vulnerable
	hirsute	Not vulnerable
	bionic	Not vulnerable
	focal	Not vulnerable
	trusty	Not vulnerable
	xenial	Not vulnerable
	jammy	Not vulnerable
	lunar	Not vulnerable
	eoan	Ignored (end of life)
	kinetic	Not vulnerable
libjpeg9 Launchpad, Ubuntu, Debian	bionic	Needed
	hirsute	Not vulnerable (1:9d-1)
	xenial	Released (1:9b-1ubuntu1+esm1) Available with Ubuntu Pro
	jammy	Not vulnerable (1:9d-1)
	lunar	Not vulnerable (1:9d-1)
	eoan	Ignored (end of life)
	focal	Not vulnerable (1:9d-1)
	groovy	Not vulnerable (1:9d-1)
	impish	Not vulnerable (1:9d-1)
	kinetic	Not vulnerable (1:9d-1)
	trusty	Does not exist
	upstream	Released (9d)

Severity score breakdown

Parameter	Value
Base score	7.1
Attack vector	Local
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›