ALT-PU-2024-1887-2

Package update libjpeg-turbo in branch sisyphus

Version3.0.2-alt1

Published2026-02-12

Max severityMEDIUM

Severity:

Closed issues (2)

MEDIUM6.5

Уязвимость функции h2v2_merged_upsample_internal() библиотеки libjpeg-turbo, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-02-11Modified: 2026-02-27

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2023-2804

MEDIUM6.5

A heap-based buffer overflow issue was discovered in libjpeg-turbo in h2v2_merged_upsample_internal() function of jdmrgext.c file. The vulnerability can only be exploited with 12-bit data precision for which the range of the sample data type exceeds the valid sample range, hence, an attacker could craft a 12-bit lossless JPEG image that contains out-of-range 12-bit samples. An application attempting to decompress such image using merged upsampling would lead to segmentation fault or buffer overflows, causing an application to crash.

Published: 2023-05-25Modified: 2025-01-16

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References