Out-of-bounds Write Affecting libjpeg-turbo package, versions <2.0.2-r0
Threat Intelligence
EPSS
0.3% (71st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ALPINE312-LIBJPEGTURBO-588733
- published 21 Dec 2018
- disclosed 21 Dec 2018
How to fix?
Upgrade Alpine:3.12 libjpeg-turbo to version 2.0.2-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream libjpeg-turbo package and not the libjpeg-turbo package as distributed by Alpine.
See How to fix? for Alpine:3.12 relevant fixed versions and status.
The tjLoadImage function in libjpeg-turbo 2.0.1 has an integer overflow with a resultant heap-based buffer overflow via a BMP image because multiplication of pitch and height is mishandled, as demonstrated by tjbench.