First published: Thu Nov 06 2014(Updated: )
A flaw in libjpeg-turbo was reported [1],[2],[3] that could lead to a local denial of service when processing a specially-crafted JPEG issue. One of the reports indicate that this only affects versions of libjpeg-turbo prior to 1.3.1 due to 1.3.1 rejecting the malformed image due to duplicate SOI markers. Upstream has fixes for this issue [4],[5]. Also refer to the upstream bug [6]. [1] <a href="http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26482&sid=81658bc2f51a8d9893279cd01e83783f">http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26482&sid=81658bc2f51a8d9893279cd01e83783f</a> [2] <a href="http://seclists.org/oss-sec/2014/q4/557">http://seclists.org/oss-sec/2014/q4/557</a> [3] <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768369">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768369</a> [4] <a href="http://sourceforge.net/p/libjpeg-turbo/code/1365/">http://sourceforge.net/p/libjpeg-turbo/code/1365/</a> [5] <a href="http://sourceforge.net/p/libjpeg-turbo/code/1367/">http://sourceforge.net/p/libjpeg-turbo/code/1367/</a> [6] <a href="http://sourceforge.net/p/libjpeg-turbo/bugs/64/">http://sourceforge.net/p/libjpeg-turbo/bugs/64/</a>
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Libjpeg-turbo Libjpeg-turbo | <=1.2.90 | |
Fedoraproject Fedora | =20 | |
Fedoraproject Fedora | =21 | |
Canonical Ubuntu Linux | =12.04 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =14.10 | |
debian/libjpeg-turbo | 1:2.0.6-4 1:2.1.5-2 1:2.1.5-3 | |
F5 Traffix SDC | >=5.1.0<=5.2.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2014-9092 is a vulnerability that allows remote attackers to cause a denial of service (crash) by exploiting a flaw in libjpeg-turbo, a JPEG processing library.
CVE-2014-9092 has a severity rating of 6.5 (medium).
CVE-2014-9092 affects libjpeg-turbo versions 1.3.0-0ubuntu2.1, 1:1.3.1-11, 1:1.5.2-2+deb10u1, 1:2.0.6-4, and 1:2.1.5-2.
To fix CVE-2014-9092, update your libjpeg-turbo package to version 1.3.1 or later.
You can find more information about CVE-2014-9092 at the following references: [1](http://www.openwall.com/lists/oss-security/2014/11/26/8), [2](http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26482&sid=81658bc2f51a8d9893279cd01e83783f), [3](https://tapani.tarvainen.info/linux/convertbug/).