New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is CVE-2020-14153 present in libjpeg-turbo? #445
Comments
|
Unclear. I cannot find any information on how to reproduce the bug. I can tell you that the |
AnalysisThe array access in question occurs in Thus, as near as I can determine, the circumstances under which this issue could occur are present only in libjpeg v8-v9c (inclusive) and not in libjpeg-turbo. Those circumstances are:
ConclusionThis issue appears to have been introduced solely in libjpeg. However, it's incredible that the Security Powers That Be(TM) would assign a CVE to it without providing any information regarding how to reproduce it. It appears that they are merely citing the Gentoo bug report as evidence, but that bug report just accepted the vulnerability as a given, which seems like a circular argument to me. It is unclear to me how an end user could reproduce this issue in libjpeg, so it is unclear to me why it is even a real (as opposed to hypothetical) vulnerability. Without that knowledge, I can only base my conclusion on a review of the code. That code review strongly suggests that the issue in question cannot be encountered in libjpeg-turbo, but that conclusion would be stronger if it could be demonstrated that a specific input image triggers the alleged security vulnerability in libjpeg v8-v9c but not in libjpeg-turbo. |
https://nvd.nist.gov/vuln/detail/CVE-2020-14153
https://security-tracker.debian.org/tracker/CVE-2020-14153
My best guess is that this is fixed in the following change in jpeg 9d:
Is this any vulnerability that is or was present in libjpeg-turbo?
The text was updated successfully, but these errors were encountered: