Security update for libjxl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:01883-1 Final 1 1 2025-06-11T05:42:29Z current 2025-06-11T05:42:29Z 2025-06-11T05:42:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libjxl This update for libjxl fixes the following issues: - CVE-2024-11403: Fix out of bounds memory read/write in libjxl (bsc#1233768). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-1883,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-1883 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202501883-1/ Link for SUSE-SU-2025:01883-1 https://lists.suse.com/pipermail/sle-updates/2025-June/040226.html E-Mail link for SUSE-SU-2025:01883-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1233768 SUSE Bug 1233768 https://www.suse.com/security/cve/CVE-2024-11403/ SUSE CVE CVE-2024-11403 page SUSE Linux Enterprise Module for Package Hub 15 SP7 gdk-pixbuf-loader-jxl-0.10.3-150700.4.3.1 gimp-plugin-jxl-0.10.3-150700.4.3.1 jxl-thumbnailer-0.10.3-150700.4.3.1 libjxl-devel-0.10.3-150700.4.3.1 libjxl-tools-0.10.3-150700.4.3.1 libjxl0_10-0.10.3-150700.4.3.1 libjxl0_10-32bit-0.10.3-150700.4.3.1 libjxl0_10-64bit-0.10.3-150700.4.3.1 libjxl-devel-0.10.3-150700.4.3.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 libjxl-tools-0.10.3-150700.4.3.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 libjxl0_10-0.10.3-150700.4.3.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 libjxl0_10-32bit-0.10.3-150700.4.3.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 There exists an out of bounds read/write in LibJXL versions prior to commit 9cc451b91b74ba470fd72bd48c121e9f33d24c99. The JPEG decoder used by the JPEG XL encoder when doing JPEG recompression (i.e. if using JxlEncoderAddJPEGFrame on untrusted input) does not properly check bounds in the presence of incomplete codes. This could lead to an out-of-bounds write. In jpegli which is released as part of the same project, the same vulnerability is present. However, the relevant buffer is part of a bigger structure, and the code makes no assumptions on the values that could be overwritten. The issue could however cause jpegli to read uninitialised memory, or addresses of functions. CVE-2024-11403 SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl-devel-0.10.3-150700.4.3.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl-tools-0.10.3-150700.4.3.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl0_10-0.10.3-150700.4.3.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl0_10-32bit-0.10.3-150700.4.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202501883-1/ https://www.suse.com/security/cve/CVE-2024-11403.html CVE-2024-11403 https://bugzilla.suse.com/1233763 SUSE Bug 1233763