Vulnerabilities > CVE-2016-3616 - NULL Pointer Dereference vulnerability in multiple products

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
libjpeg-turbo
redhat
debian
canonical
CWE-476
nessus

Summary

The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0185_LIBJPEG-TURBO.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has libjpeg-turbo packages installed that are affected by multiple vulnerabilities: - The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file. (CVE-2016-3616) - libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF. (CVE-2018-11813) - An issue was discovered in libjpeg 9a. The get_text_gray_row function in rdppm.c allows remote attackers to cause a denial of service (Segmentation fault) via a crafted file. (CVE-2018-11213) - An issue was discovered in libjpeg 9a. The get_text_rgb_row function in rdppm.c allows remote attackers to cause a denial of service (Segmentation fault) via a crafted file. (CVE-2018-11214) - An issue was discovered in libjpeg 9a. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file. (CVE-2018-11212) - get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries. (CVE-2018-14498) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id129912
    published2019-10-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129912
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : libjpeg-turbo Multiple Vulnerabilities (NS-SA-2019-0185)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2407.NASL
    descriptionAccording to the versions of the libjpeg-turbo packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.(CVE-2016-3616) - get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.(CVE-2018-14498) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-12-10
    plugin id131899
    published2019-12-10
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131899
    titleEulerOS 2.0 SP2 : libjpeg-turbo (EulerOS-SA-2019-2407)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2251.NASL
    descriptionAccording to the versions of the libjpeg-turbo packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.(CVE-2016-3616) - An issue was discovered in libjpeg 9a. The get_text_gray_row function in rdppm.c allows remote attackers to cause a denial of service (Segmentation fault) via a crafted file.(CVE-2018-11213) - An issue was discovered in libjpeg 9a. The get_text_rgb_row function in rdppm.c allows remote attackers to cause a denial of service (Segmentation fault) via a crafted file.(CVE-2018-11214) - heap-based buffer over-read via crafted 8-bit BMP in get_8bit_row in rdbmp.c leads to denial of service (CVE-2018-14498) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-11-08
    plugin id130713
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130713
    titleEulerOS 2.0 SP3 : libjpeg-turbo (EulerOS-SA-2019-2251)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2052.NASL
    descriptionAn update for libjpeg-turbo is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libjpeg-turbo packages contain a library of functions for manipulating JPEG images. They also contain simple client programs for accessing the libjpeg functions. These packages provide the same functionality and API as libjpeg but with better performance. Security Fix(es) : * libjpeg: NULL pointer dereference in cjpeg (CVE-2016-3616) * libjpeg-turbo: heap-based buffer over-read via crafted 8-bit BMP in get_8bit_row in rdbmp.c leads to denial of service (CVE-2018-14498) * libjpeg-turbo: Divide By Zero in alloc_sarray function in jmemmgr.c (CVE-2018-11212) * libjpeg: Segmentation fault in get_text_gray_row function in rdppm.c (CVE-2018-11213) * libjpeg: Segmentation fault in get_text_rgb_row function in rdppm.c (CVE-2018-11214) * libjpeg:
    last seen2020-06-01
    modified2020-06-02
    plugin id127661
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127661
    titleRHEL 7 : libjpeg-turbo (RHSA-2019:2052)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1638.NASL
    descriptionSeveral vulnerabilities have been resolved in libjpeg-turbo, Debian
    last seen2020-03-17
    modified2019-01-23
    plugin id121315
    published2019-01-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121315
    titleDebian DLA-1638-1 : libjpeg-turbo security update
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0227_LIBJPEG-TURBO.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has libjpeg-turbo packages installed that are affected by multiple vulnerabilities: - The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file. (CVE-2016-3616) - libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF. (CVE-2018-11813) - An issue was discovered in libjpeg 9a. The get_text_gray_row function in rdppm.c allows remote attackers to cause a denial of service (Segmentation fault) via a crafted file. (CVE-2018-11213) - An issue was discovered in libjpeg 9a. The get_text_rgb_row function in rdppm.c allows remote attackers to cause a denial of service (Segmentation fault) via a crafted file. (CVE-2018-11214) - An issue was discovered in libjpeg 9a. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file. (CVE-2018-11212) - get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries. (CVE-2018-14498) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id132505
    published2019-12-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132505
    titleNewStart CGSL CORE 5.05 / MAIN 5.05 : libjpeg-turbo Multiple Vulnerabilities (NS-SA-2019-0227)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2052.NASL
    descriptionAn update for libjpeg-turbo is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libjpeg-turbo packages contain a library of functions for manipulating JPEG images. They also contain simple client programs for accessing the libjpeg functions. These packages provide the same functionality and API as libjpeg but with better performance. Security Fix(es) : * libjpeg: NULL pointer dereference in cjpeg (CVE-2016-3616) * libjpeg-turbo: heap-based buffer over-read via crafted 8-bit BMP in get_8bit_row in rdbmp.c leads to denial of service (CVE-2018-14498) * libjpeg-turbo: Divide By Zero in alloc_sarray function in jmemmgr.c (CVE-2018-11212) * libjpeg: Segmentation fault in get_text_gray_row function in rdppm.c (CVE-2018-11213) * libjpeg: Segmentation fault in get_text_rgb_row function in rdppm.c (CVE-2018-11214) * libjpeg:
    last seen2020-06-01
    modified2020-06-02
    plugin id128342
    published2019-08-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128342
    titleCentOS 7 : libjpeg-turbo (CESA-2019:2052)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1286.NASL
    descriptionThe cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.(CVE-2016-3616) libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.(CVE-2018-11813) An out-of-bounds read vulnerability has been discovered in libjpeg-turbo when reading one row of pixels of a PPM file. An attacker could use this flaw to crash the application and cause a denial of service.(CVE-2018-11214) An out-of-bound read vulnerability has been discovered in libjpeg-turbo when reading one row of pixels of a PGM file. An attacker could use this flaw to crash the application and cause a denial of service.(CVE-2018-11213) get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.(CVE-2018-14498) A divide by zero vulnerability has been discovered in libjpeg-turbo in alloc_sarray function of jmemmgr.c file. An attacker could use this vulnerability to cause a denial of service via a crafted file.(CVE-2018-11212)
    last seen2020-06-01
    modified2020-06-02
    plugin id129013
    published2019-09-19
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129013
    titleAmazon Linux AMI : libjpeg-turbo (ALAS-2019-1286)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190806_LIBJPEG_TURBO_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - libjpeg: NULL pointer dereference in cjpeg (CVE-2016-3616) - libjpeg-turbo: heap-based buffer over-read via crafted 8-bit BMP in get_8bit_row in rdbmp.c leads to denial of service (CVE-2018-14498) - libjpeg-turbo: Divide By Zero in alloc_sarray function in jmemmgr.c (CVE-2018-11212) - libjpeg: Segmentation fault in get_text_gray_row function in rdppm.c (CVE-2018-11213) - libjpeg: Segmentation fault in get_text_rgb_row function in rdppm.c (CVE-2018-11214) - libjpeg:
    last seen2020-03-18
    modified2019-08-27
    plugin id128231
    published2019-08-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128231
    titleScientific Linux Security Update : libjpeg-turbo on SL7.x x86_64 (20190806)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1350.NASL
    descriptionThe cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.(CVE-2016-3616) A divide by zero vulnerability has been discovered in libjpeg-turbo in alloc_sarray function of jmemmgr.c file. An attacker could use this vulnerability to cause a denial of service via a crafted file. CVE-2018-11212) An out-of-bound read vulnerability has been discovered in libjpeg-turbo when reading one row of pixels of a PGM file. An attacker could use this flaw to crash the application and cause a denial of service.(CVE-2018-11213) An out-of-bounds read vulnerability has been discovered in libjpeg-turbo when reading one row of pixels of a PPM file. An attacker could use this flaw to crash the application and cause a denial of service.(CVE-2018-11214) libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.(CVE-2018-11813) get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.(CVE-2018-14498)
    last seen2020-06-01
    modified2020-06-02
    plugin id130602
    published2019-11-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130602
    titleAmazon Linux 2 : libjpeg-turbo (ALAS-2019-1350)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3706-1.NASL
    descriptionIt was discovered that libjpeg-turbo incorrectly handled certain malformed JPEG images. If a user or automated system were tricked into opening a specially crafted JPEG image, a remote attacker could cause libjpeg-turbo to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110973
    published2018-07-10
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110973
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : libjpeg-turbo vulnerabilities (USN-3706-1)

Redhat

advisories
rhsa
idRHSA-2019:2052
rpms
  • libjpeg-turbo-0:1.2.90-8.el7
  • libjpeg-turbo-debuginfo-0:1.2.90-8.el7
  • libjpeg-turbo-devel-0:1.2.90-8.el7
  • libjpeg-turbo-static-0:1.2.90-8.el7
  • libjpeg-turbo-utils-0:1.2.90-8.el7
  • turbojpeg-0:1.2.90-8.el7
  • turbojpeg-devel-0:1.2.90-8.el7