Your submission was sent successfully! Close

CVE-2020-17541

Published: 01 June 2021

Libjpeg-turbo all version have a stack-based buffer overflow in the "transform" component. A remote attacker can send a malformed jpeg file to the service and cause arbitrary code execution or denial of service of the target service.

Priority

Low

CVSS 3 base score: 8.8

Status

Package Release Status
libjpeg-turbo
Launchpad, Ubuntu, Debian
Upstream
Released (1:2.0.5-1)
Ubuntu 21.10 (Impish Indri) Not vulnerable

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c76f4a08263b0cea40d2967560ac7c21f6959079

Notes

AuthorNote
mdeslaur
probably not exploitable, if it is, it's a DoS only
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/392#issuecomment-562332507

References

Bugs