What is CVE-2020-13790?

CVE-2020-13790 is a vulnerability found in libjpeg-turbo 2.0.4 and mozjpeg 4.0.0, which allows a heap-based buffer over-read in the 'get_rgb_row()' function in rdppm.c through a malformed PPM input file.

Which software versions are affected by CVE-2020-13790?

The affected software versions include libjpeg-turbo 2.0.4 and mozjpeg 4.0.0.

What is the severity of CVE-2020-13790?

CVE-2020-13790 has a severity rating of 8.1 (High).

How can I fix the vulnerability CVE-2020-13790?

To fix the vulnerability, you should update libjpeg-turbo to version 1.5.2-0ubuntu5.18.04.4, or a higher version if available.

Where can I find more information about CVE-2020-13790?

You can find more information about CVE-2020-13790 at the following references: [reference 1](http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00031.html), [reference 2](http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00062.html), [reference 3](https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a).

Vulnerability/
CVE-2020-13790

high

8.1

CWE

125

3/6/2020

4/8/2024

CVE-2020-13790

First published: Wed Jun 03 2020(Updated: )

libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
ubuntu/libjpeg-turbo	<1.5.2-0ubuntu5.18.04.4	1.5.2-0ubuntu5.18.04.4
ubuntu/libjpeg-turbo	<2.0.3-0ubuntu1.19.10.1	2.0.3-0ubuntu1.19.10.1
ubuntu/libjpeg-turbo	<2.0.3-0ubuntu1.20.04.1	2.0.3-0ubuntu1.20.04.1
ubuntu/libjpeg-turbo	<1.3.0-0ubuntu2.1+	1.3.0-0ubuntu2.1+
ubuntu/libjpeg-turbo	<1.4.2-0ubuntu3.4	1.4.2-0ubuntu3.4
	=2.0.4
	=4.0.0
Libjpeg-turbo Libjpeg-turbo	=2.0.4
Mozilla Mozjpeg	=4.0.0
debian/libjpeg-turbo		1:1.5.2-2+deb10u1 1:2.0.6-4 1:2.1.5-2

Remedy

https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

USN-4386-1

Frequently Asked Questions

What is CVE-2020-13790?
CVE-2020-13790 is a vulnerability found in libjpeg-turbo 2.0.4 and mozjpeg 4.0.0, which allows a heap-based buffer over-read in the 'get_rgb_row()' function in rdppm.c through a malformed PPM input file.
Which software versions are affected by CVE-2020-13790?
The affected software versions include libjpeg-turbo 2.0.4 and mozjpeg 4.0.0.
What is the severity of CVE-2020-13790?
CVE-2020-13790 has a severity rating of 8.1 (High).
How can I fix the vulnerability CVE-2020-13790?
To fix the vulnerability, you should update libjpeg-turbo to version 1.5.2-0ubuntu5.18.04.4, or a higher version if available.
Where can I find more information about CVE-2020-13790?
You can find more information about CVE-2020-13790 at the following references: [reference 1](http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00031.html), [reference 2](http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00062.html), [reference 3](https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a).

collector/nvd-index
agent/type
agent/last-modified-date
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
agent/references
agent/author
agent/softwarecombine
collector/usn-cve
source/Ubuntu
agent/software-canonical-lookup
agent/weakness
agent/remedy
agent/severity
agent/description
collector/security-tracker-debian
source/Debian
collector/nvd-cve
source/NVD
agent/tags
agent/event
collector/mitre-cve
source/MITRE
vendor/libjpeg-turbo
canonical/libjpeg-turbo libjpeg-turbo
version/libjpeg-turbo libjpeg-turbo/2.0.4
vendor/mozilla
canonical/mozilla mozjpeg
version/mozilla mozjpeg/4.0.0
package-manager/ubuntu
package-manager/debian