Security update for libjxl SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:0041-1 Final 1 1 2025-01-31T19:01:05Z current 2025-01-31T19:01:05Z 2025-01-31T19:01:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libjxl This update for libjxl fixes the following issues: - CVE-2024-11498: Fixed denial of service by checking height limit in modular trees (boo#1233785). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2025-41 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZHPZSTKKJIMP7HTU252RQ2IJBJJYHFVS/ E-Mail link for openSUSE-SU-2025:0041-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1233785 SUSE Bug 1233785 https://www.suse.com/security/cve/CVE-2024-11498/ SUSE CVE CVE-2024-11498 page SUSE Package Hub 15 SP5 openSUSE Leap 15.5 libjxl-devel-0.8.2-bp155.2.6.1 libjxl-tools-0.8.2-bp155.2.6.1 libjxl0_8-0.8.2-bp155.2.6.1 libjxl0_8-64bit-0.8.2-bp155.2.6.1 libjxl-devel-0.8.2-bp155.2.6.1 as a component of SUSE Package Hub 15 SP5 libjxl-tools-0.8.2-bp155.2.6.1 as a component of SUSE Package Hub 15 SP5 libjxl0_8-0.8.2-bp155.2.6.1 as a component of SUSE Package Hub 15 SP5 libjxl0_8-64bit-0.8.2-bp155.2.6.1 as a component of SUSE Package Hub 15 SP5 libjxl-devel-0.8.2-bp155.2.6.1 as a component of openSUSE Leap 15.5 libjxl-tools-0.8.2-bp155.2.6.1 as a component of openSUSE Leap 15.5 libjxl0_8-0.8.2-bp155.2.6.1 as a component of openSUSE Leap 15.5 libjxl0_8-64bit-0.8.2-bp155.2.6.1 as a component of openSUSE Leap 15.5 There exists a stack buffer overflow in libjxl. A specifically-crafted file can cause the JPEG XL decoder to use large amounts of stack space (up to 256mb is possible, maybe 512mb), potentially exhausting the stack. An attacker can craft a file that will cause excessive memory usage. We recommend upgrading past commit 65fbec56bc578b6b6ee02a527be70787bbd053b0. CVE-2024-11498 SUSE Package Hub 15 SP5:libjxl-devel-0.8.2-bp155.2.6.1 SUSE Package Hub 15 SP5:libjxl-tools-0.8.2-bp155.2.6.1 SUSE Package Hub 15 SP5:libjxl0_8-0.8.2-bp155.2.6.1 SUSE Package Hub 15 SP5:libjxl0_8-64bit-0.8.2-bp155.2.6.1 openSUSE Leap 15.5:libjxl-devel-0.8.2-bp155.2.6.1 openSUSE Leap 15.5:libjxl-tools-0.8.2-bp155.2.6.1 openSUSE Leap 15.5:libjxl0_8-0.8.2-bp155.2.6.1 openSUSE Leap 15.5:libjxl0_8-64bit-0.8.2-bp155.2.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZHPZSTKKJIMP7HTU252RQ2IJBJJYHFVS/ https://www.suse.com/security/cve/CVE-2024-11498.html CVE-2024-11498 https://bugzilla.suse.com/1233784 SUSE Bug 1233784