Vulnerabilities > CVE-2018-11813 - Excessive Iteration vulnerability in IJG Libjpeg 9C
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0185_LIBJPEG-TURBO.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has libjpeg-turbo packages installed that are affected by multiple vulnerabilities: - The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file. (CVE-2016-3616) - libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF. (CVE-2018-11813) - An issue was discovered in libjpeg 9a. The get_text_gray_row function in rdppm.c allows remote attackers to cause a denial of service (Segmentation fault) via a crafted file. (CVE-2018-11213) - An issue was discovered in libjpeg 9a. The get_text_rgb_row function in rdppm.c allows remote attackers to cause a denial of service (Segmentation fault) via a crafted file. (CVE-2018-11214) - An issue was discovered in libjpeg 9a. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file. (CVE-2018-11212) - get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries. (CVE-2018-14498) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 129912 published 2019-10-15 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129912 title NewStart CGSL CORE 5.04 / MAIN 5.04 : libjpeg-turbo Multiple Vulnerabilities (NS-SA-2019-0185) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0711-1.NASL description This update for libjpeg-turbo fixes the following issues : The following security vulnerabilities were addressed : CVE-2018-14498: Fixed a heap-based buffer over read in get_8bit_row function which could allow to an attacker to cause denial of service (bsc#1128712). CVE-2018-11813: Fixed the end-of-file mishandling in read_pixel in rdtarga.c, which allowed remote attackers to cause a denial-of-service via crafted JPG files due to a large loop (bsc#1096209) CVE-2018-1152: Fixed a denial of service in start_input_bmp() rdbmp.c caused by a divide by zero when processing a crafted BMP image (bsc#1098155) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 123067 published 2019-03-25 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123067 title SUSE SLED15 / SLES15 Security Update : libjpeg-turbo (SUSE-SU-2019:0711-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1159.NASL description According to the version of the libjpeg-turbo package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.i1/4^CVE-2018-11813i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-19 modified 2019-04-09 plugin id 123845 published 2019-04-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123845 title EulerOS Virtualization 2.5.3 : libjpeg-turbo (EulerOS-SA-2019-1159) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-2052.NASL description An update for libjpeg-turbo is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libjpeg-turbo packages contain a library of functions for manipulating JPEG images. They also contain simple client programs for accessing the libjpeg functions. These packages provide the same functionality and API as libjpeg but with better performance. Security Fix(es) : * libjpeg: NULL pointer dereference in cjpeg (CVE-2016-3616) * libjpeg-turbo: heap-based buffer over-read via crafted 8-bit BMP in get_8bit_row in rdbmp.c leads to denial of service (CVE-2018-14498) * libjpeg-turbo: Divide By Zero in alloc_sarray function in jmemmgr.c (CVE-2018-11212) * libjpeg: Segmentation fault in get_text_gray_row function in rdppm.c (CVE-2018-11213) * libjpeg: Segmentation fault in get_text_rgb_row function in rdppm.c (CVE-2018-11214) * libjpeg: last seen 2020-06-01 modified 2020-06-02 plugin id 127661 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127661 title RHEL 7 : libjpeg-turbo (RHSA-2019:2052) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-1343.NASL description This update for libjpeg-turbo fixes the following issues : The following security vulnerabilities were addressed : - CVE-2018-14498: Fixed a heap-based buffer over read in get_8bit_row function which could allow to an attacker to cause denial of service (bsc#1128712). - CVE-2018-11813: Fixed the end-of-file mishandling in read_pixel in rdtarga.c, which allowed remote attackers to cause a denial-of-service via crafted JPG files due to a large loop (bsc#1096209) - CVE-2018-1152: Fixed a denial of service in start_input_bmp() rdbmp.c caused by a divide by zero when processing a crafted BMP image (bsc#1098155) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 124708 published 2019-05-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124708 title openSUSE Security Update : libjpeg-turbo (openSUSE-2019-1343) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1079.NASL description According to the version of the libjpeg-turbo package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.(CVE-2018-11813) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 122701 published 2019-03-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122701 title EulerOS Virtualization 2.5.2 : libjpeg-turbo (EulerOS-SA-2019-1079) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1299.NASL description According to the version of the libjpeg-turbo packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.(CVE-2018-11813) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-10-11 plugin id 118049 published 2018-10-11 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118049 title EulerOS 2.0 SP3 : libjpeg-turbo (EulerOS-SA-2018-1299) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1825-1.NASL description This update for jpeg fixes the following issues : - CVE-2017-15232: NULL pointer dereferences in jdpostct.c and jquant1.c could lead to denial of service (crash) when processing images [bsc#1062937] - CVE-2018-11813: Fixed the end-of-file mishandling in read_pixel in rdtarga.c, which allowed remote attackers to cause a denial-of-service via crafted JPG files due to a large loop [bsc#1096209] - CVE-2018-1152: Fixed a denial of service in start_input_bmp() rdbmp.c caused by a divide by zero when processing a crafted BMP image [bsc#1098155] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 110762 published 2018-06-28 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110762 title SUSE SLES11 Security Update : jpeg (SUSE-SU-2018:1825-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-1118.NASL description This update for libjpeg-turbo fixes the following issues : The following security vulnerabilities were addressed : - CVE-2018-14498: Fixed a heap-based buffer over read in get_8bit_row function which could allow to an attacker to cause denial of service (bsc#1128712). - CVE-2018-11813: Fixed the end-of-file mishandling in read_pixel in rdtarga.c, which allowed remote attackers to cause a denial-of-service via crafted JPG files due to a large loop (bsc#1096209) - CVE-2018-1152: Fixed a denial of service in start_input_bmp() rdbmp.c caused by a divide by zero when processing a crafted BMP image (bsc#1098155) This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 123665 published 2019-04-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123665 title openSUSE Security Update : libjpeg-turbo (openSUSE-2019-1118) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1298.NASL description According to the version of the libjpeg-turbo packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.(CVE-2018-11813) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-09-27 plugin id 117742 published 2018-09-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117742 title EulerOS 2.0 SP2 : libjpeg-turbo (EulerOS-SA-2018-1298) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0227_LIBJPEG-TURBO.NASL description The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has libjpeg-turbo packages installed that are affected by multiple vulnerabilities: - The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file. (CVE-2016-3616) - libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF. (CVE-2018-11813) - An issue was discovered in libjpeg 9a. The get_text_gray_row function in rdppm.c allows remote attackers to cause a denial of service (Segmentation fault) via a crafted file. (CVE-2018-11213) - An issue was discovered in libjpeg 9a. The get_text_rgb_row function in rdppm.c allows remote attackers to cause a denial of service (Segmentation fault) via a crafted file. (CVE-2018-11214) - An issue was discovered in libjpeg 9a. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file. (CVE-2018-11212) - get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries. (CVE-2018-14498) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 132505 published 2019-12-31 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132505 title NewStart CGSL CORE 5.05 / MAIN 5.05 : libjpeg-turbo Multiple Vulnerabilities (NS-SA-2019-0227) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2019-2052.NASL description An update for libjpeg-turbo is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libjpeg-turbo packages contain a library of functions for manipulating JPEG images. They also contain simple client programs for accessing the libjpeg functions. These packages provide the same functionality and API as libjpeg but with better performance. Security Fix(es) : * libjpeg: NULL pointer dereference in cjpeg (CVE-2016-3616) * libjpeg-turbo: heap-based buffer over-read via crafted 8-bit BMP in get_8bit_row in rdbmp.c leads to denial of service (CVE-2018-14498) * libjpeg-turbo: Divide By Zero in alloc_sarray function in jmemmgr.c (CVE-2018-11212) * libjpeg: Segmentation fault in get_text_gray_row function in rdppm.c (CVE-2018-11213) * libjpeg: Segmentation fault in get_text_rgb_row function in rdppm.c (CVE-2018-11214) * libjpeg: last seen 2020-06-01 modified 2020-06-02 plugin id 128342 published 2019-08-30 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128342 title CentOS 7 : libjpeg-turbo (CESA-2019:2052) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2019-1286.NASL description The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.(CVE-2016-3616) libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.(CVE-2018-11813) An out-of-bounds read vulnerability has been discovered in libjpeg-turbo when reading one row of pixels of a PPM file. An attacker could use this flaw to crash the application and cause a denial of service.(CVE-2018-11214) An out-of-bound read vulnerability has been discovered in libjpeg-turbo when reading one row of pixels of a PGM file. An attacker could use this flaw to crash the application and cause a denial of service.(CVE-2018-11213) get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.(CVE-2018-14498) A divide by zero vulnerability has been discovered in libjpeg-turbo in alloc_sarray function of jmemmgr.c file. An attacker could use this vulnerability to cause a denial of service via a crafted file.(CVE-2018-11212) last seen 2020-06-01 modified 2020-06-02 plugin id 129013 published 2019-09-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129013 title Amazon Linux AMI : libjpeg-turbo (ALAS-2019-1286) NASL family Scientific Linux Local Security Checks NASL id SL_20190806_LIBJPEG_TURBO_ON_SL7_X.NASL description Security Fix(es) : - libjpeg: NULL pointer dereference in cjpeg (CVE-2016-3616) - libjpeg-turbo: heap-based buffer over-read via crafted 8-bit BMP in get_8bit_row in rdbmp.c leads to denial of service (CVE-2018-14498) - libjpeg-turbo: Divide By Zero in alloc_sarray function in jmemmgr.c (CVE-2018-11212) - libjpeg: Segmentation fault in get_text_gray_row function in rdppm.c (CVE-2018-11213) - libjpeg: Segmentation fault in get_text_rgb_row function in rdppm.c (CVE-2018-11214) - libjpeg: last seen 2020-03-18 modified 2019-08-27 plugin id 128231 published 2019-08-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128231 title Scientific Linux Security Update : libjpeg-turbo on SL7.x x86_64 (20190806) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2019-1350.NASL description The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.(CVE-2016-3616) A divide by zero vulnerability has been discovered in libjpeg-turbo in alloc_sarray function of jmemmgr.c file. An attacker could use this vulnerability to cause a denial of service via a crafted file. CVE-2018-11212) An out-of-bound read vulnerability has been discovered in libjpeg-turbo when reading one row of pixels of a PGM file. An attacker could use this flaw to crash the application and cause a denial of service.(CVE-2018-11213) An out-of-bounds read vulnerability has been discovered in libjpeg-turbo when reading one row of pixels of a PPM file. An attacker could use this flaw to crash the application and cause a denial of service.(CVE-2018-11214) libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.(CVE-2018-11813) get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.(CVE-2018-14498) last seen 2020-06-01 modified 2020-06-02 plugin id 130602 published 2019-11-07 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130602 title Amazon Linux 2 : libjpeg-turbo (ALAS-2019-1350) NASL family Fedora Local Security Checks NASL id FEDORA_2018-0E72EF852A.NASL description Fix for **CVE-2018-11813**. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120234 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120234 title Fedora 28 : libjpeg-turbo (2018-0e72ef852a) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-1111-1.NASL description This update for libjpeg-turbo fixes the following issues : The following security vulnerabilities were addressed : CVE-2018-14498: Fixed a heap-based buffer over read in get_8bit_row function which could allow to an attacker to cause denial of service (bsc#1128712). CVE-2018-11813: Fixed the end-of-file mishandling in read_pixel in rdtarga.c, which allowed remote attackers to cause a denial-of-service via crafted JPG files due to a large loop (bsc#1096209) CVE-2018-1152: Fixed a denial of service in start_input_bmp() rdbmp.c caused by a divide by zero when processing a crafted BMP image (bsc#1098155) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124453 published 2019-05-01 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124453 title SUSE SLED12 / SLES12 Security Update : libjpeg-turbo (SUSE-SU-2019:1111-1)
Redhat
| advisories |
| ||||
| rpms |
|
References
- https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9c
- https://github.com/ChijinZ/security_advisories/blob/master/libjpeg-v9c/mail.pdf
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00015.html
- https://access.redhat.com/errata/RHSA-2019:2052
- https://bugs.gentoo.org/727908
- http://www.ijg.org/files/jpegsrc.v9d.tar.gz