First published: Mon Mar 21 2016(Updated: )
A null pointer dereference vulnerability was reported in libjpeg library in cjpeg component. A maliciously crafted file could cause an application to crash. In specific cases this may also allow the attacker to remotely execute commands.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Libjpeg-turbo Libjpeg-turbo | =7.4 | |
Redhat Enterprise Linux | =7.4 | |
Debian Debian Linux | =8.0 | |
Canonical Ubuntu Linux | =12.04 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
debian/libjpeg-turbo | 1:2.0.6-4 1:2.1.5-2 1:2.1.5-3 | |
debian/libjpeg6b | <=1:6b2-4 | |
debian/libjpeg9 | 1:9f-1 |
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/6709e4a0cfa44d4f54ee8ad05753d4aa9260cb91
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2016-3616.
CVE-2016-3616 has a severity rating of 8.8, which is considered high.
The libjpeg-turbo package versions 1.5.2-2+deb10u1, 2.0.6-4, and 2.1.5-2 are affected. The libjpeg6b package version 1:6b2-3.1 is also affected. The libjpeg9 package version 1:9e-1 is affected. On Ubuntu, the libjpeg-turbo package version 1.3.0-0ubuntu2.1 is affected. Additionally, the libjpeg-turbo package versions 1.4.2 and the libjpeg9 package version 1:9 are affected on Ubuntu.
CVE-2016-3616 can be exploited by remote attackers who send a crafted file to the cjpeg utility in libjpeg, causing a NULL pointer dereference and application crash, or potentially leading to arbitrary code execution.
Yes, there are remedies available for CVE-2016-3616. For the affected libjpeg-turbo package, upgrading to versions 1.5.2-2+deb10u1, 2.0.6-4, or 2.1.5-2 will fix the vulnerability. Upgrading to libjpeg6b version 1:6b2-3.1 or libjpeg9 version 1:9e-1 will also fix the vulnerability. Ubuntu users can upgrade to libjpeg-turbo version 1.3.0-0ubuntu2.1, libjpeg-turbo version 1.4.2, or libjpeg9 version 1:9 to fix the vulnerability.