libjpeg-turbo-2.1.1-65.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10952 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libjpeg-turbo-2.1.1-65.2 on GA media These are all security issues fixed in the libjpeg-turbo-2.1.1-65.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10952 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10952 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-15232/ SUSE CVE CVE-2017-15232 page https://www.suse.com/security/cve/CVE-2018-1152/ SUSE CVE CVE-2018-1152 page https://www.suse.com/security/cve/CVE-2018-11813/ SUSE CVE CVE-2018-11813 page https://www.suse.com/security/cve/CVE-2018-19644/ SUSE CVE CVE-2018-19644 page https://www.suse.com/security/cve/CVE-2018-19664/ SUSE CVE CVE-2018-19664 page https://www.suse.com/security/cve/CVE-2018-20330/ SUSE CVE CVE-2018-20330 page https://www.suse.com/security/cve/CVE-2020-13790/ SUSE CVE CVE-2020-13790 page openSUSE Tumbleweed libjpeg-turbo-2.1.1-65.2 libjpeg8-8.2.2-65.2 libjpeg8-32bit-8.2.2-65.2 libjpeg8-devel-8.2.2-65.2 libjpeg8-devel-32bit-8.2.2-65.2 libturbojpeg0-8.2.2-65.2 libturbojpeg0-32bit-8.2.2-65.2 libjpeg-turbo-2.1.1-65.2 as a component of openSUSE Tumbleweed libjpeg8-8.2.2-65.2 as a component of openSUSE Tumbleweed libjpeg8-32bit-8.2.2-65.2 as a component of openSUSE Tumbleweed libjpeg8-devel-8.2.2-65.2 as a component of openSUSE Tumbleweed libjpeg8-devel-32bit-8.2.2-65.2 as a component of openSUSE Tumbleweed libturbojpeg0-8.2.2-65.2 as a component of openSUSE Tumbleweed libturbojpeg0-32bit-8.2.2-65.2 as a component of openSUSE Tumbleweed libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file. CVE-2017-15232 openSUSE Tumbleweed:libjpeg-turbo-2.1.1-65.2 openSUSE Tumbleweed:libjpeg8-32bit-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-devel-32bit-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-devel-8.2.2-65.2 openSUSE Tumbleweed:libturbojpeg0-32bit-8.2.2-65.2 openSUSE Tumbleweed:libturbojpeg0-8.2.2-65.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-15232.html CVE-2017-15232 https://bugzilla.suse.com/1062937 SUSE Bug 1062937 libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image. CVE-2018-1152 openSUSE Tumbleweed:libjpeg-turbo-2.1.1-65.2 openSUSE Tumbleweed:libjpeg8-32bit-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-devel-32bit-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-devel-8.2.2-65.2 openSUSE Tumbleweed:libturbojpeg0-32bit-8.2.2-65.2 openSUSE Tumbleweed:libturbojpeg0-8.2.2-65.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1152.html CVE-2018-1152 https://bugzilla.suse.com/1098155 SUSE Bug 1098155 libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF. CVE-2018-11813 openSUSE Tumbleweed:libjpeg-turbo-2.1.1-65.2 openSUSE Tumbleweed:libjpeg8-32bit-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-devel-32bit-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-devel-8.2.2-65.2 openSUSE Tumbleweed:libturbojpeg0-32bit-8.2.2-65.2 openSUSE Tumbleweed:libturbojpeg0-8.2.2-65.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-11813.html CVE-2018-11813 https://bugzilla.suse.com/1096209 SUSE Bug 1096209 https://bugzilla.suse.com/1172994 SUSE Bug 1172994 https://bugzilla.suse.com/1172995 SUSE Bug 1172995 Reflected cross site script issue in Micro Focus Solutions Business Manager (SBM) (formerly Serena Business Manager (SBM)) versions prior to 11.5. CVE-2018-19644 openSUSE Tumbleweed:libjpeg-turbo-2.1.1-65.2 openSUSE Tumbleweed:libjpeg8-32bit-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-devel-32bit-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-devel-8.2.2-65.2 openSUSE Tumbleweed:libturbojpeg0-32bit-8.2.2-65.2 openSUSE Tumbleweed:libturbojpeg0-8.2.2-65.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19644.html CVE-2018-19644 libjpeg-turbo 2.0.1 has a heap-based buffer over-read in the put_pixel_rows function in wrbmp.c, as demonstrated by djpeg. CVE-2018-19664 openSUSE Tumbleweed:libjpeg-turbo-2.1.1-65.2 openSUSE Tumbleweed:libjpeg8-32bit-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-devel-32bit-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-devel-8.2.2-65.2 openSUSE Tumbleweed:libturbojpeg0-32bit-8.2.2-65.2 openSUSE Tumbleweed:libturbojpeg0-8.2.2-65.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19664.html CVE-2018-19664 https://bugzilla.suse.com/1117890 SUSE Bug 1117890 The tjLoadImage function in libjpeg-turbo 2.0.1 has an integer overflow with a resultant heap-based buffer overflow via a BMP image because multiplication of pitch and height is mishandled, as demonstrated by tjbench. CVE-2018-20330 openSUSE Tumbleweed:libjpeg-turbo-2.1.1-65.2 openSUSE Tumbleweed:libjpeg8-32bit-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-devel-32bit-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-devel-8.2.2-65.2 openSUSE Tumbleweed:libturbojpeg0-32bit-8.2.2-65.2 openSUSE Tumbleweed:libturbojpeg0-8.2.2-65.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20330.html CVE-2018-20330 https://bugzilla.suse.com/1120646 SUSE Bug 1120646 libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file. CVE-2020-13790 openSUSE Tumbleweed:libjpeg-turbo-2.1.1-65.2 openSUSE Tumbleweed:libjpeg8-32bit-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-devel-32bit-8.2.2-65.2 openSUSE Tumbleweed:libjpeg8-devel-8.2.2-65.2 openSUSE Tumbleweed:libturbojpeg0-32bit-8.2.2-65.2 openSUSE Tumbleweed:libturbojpeg0-8.2.2-65.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-13790.html CVE-2020-13790 https://bugzilla.suse.com/1172491 SUSE Bug 1172491