Vulnerability CVE-2020-13790: Information

Description

libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.

Severity: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-13790

Published: June 3, 2020

Modified: Nov. 7, 2023

Error type identifier: CWE-125

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
libjpeg-turbo	sisyphus	2.0.6-alt1	3.0.2-alt2.1	ALT-PU-2021-1392-1	266888	Fixed
libjpeg-turbo	sisyphus_riscv64	2.0.6-alt0.4.rv64	3.0.2-alt2.1	ALT-PU-2021-4726-1	-	Fixed
libjpeg-turbo	p10	2.0.6-alt1	2.1.5.1-alt1.p10.2	ALT-PU-2021-1392-1	266888	Fixed
libjpeg-turbo	c10f1	2.0.6-alt1	2.1.2-alt1.2	ALT-PU-2021-1392-1	266888	Fixed
libjpeg-turbo	p11	2.0.6-alt1	3.0.2-alt2.1	ALT-PU-2021-1392-1	266888	Fixed
libjpeg8	sisyphus	2.0.5-alt1	3.0.3-alt1	ALT-PU-2020-2229-1	253966	Fixed
libjpeg8	p10	2.0.5-alt1	2.1.0-alt1.1	ALT-PU-2020-2229-1	253966	Fixed
libjpeg8	p9	2.0.5-alt1	2.0.5-alt1	ALT-PU-2020-2252-1	253974	Fixed
libjpeg8	c10f1	2.0.5-alt1	2.1.0-alt1.1	ALT-PU-2020-2229-1	253966	Fixed
libjpeg8	c9f2	2.0.5-alt1	2.0.5-alt1	ALT-PU-2020-2252-1	253974	Fixed
libjpeg8	p11	2.0.5-alt1	3.0.3-alt1	ALT-PU-2020-2229-1	253966	Fixed

Hyperlink	Resource
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/433	Exploit Third Party Advisory
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a	Patch Third Party Advisory
USN-4386-1
[debian-lts-announce] 20200731 [SECURITY] [DLA 2302-1] libjpeg-turbo security update
openSUSE-SU-2020:1413
openSUSE-SU-2020:1458
GLSA-202010-03
FEDORA-2020-f09ecf5985
FEDORA-2020-86fa578c8d

Affected configurations:
1. Configuration 1
  cpe:2.3:a:libjpeg-turbo:libjpeg-turbo:2.0.4:*:*:*:*:*:*:*
  cpe:2.3:a:mozilla:mozjpeg:4.0.0:*:*:*:*:*:*:*

Version: v24.5.3