CVE-2017-9614 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9614) The fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted jpg file. References: http://seclists.org/fulldisclosure/2017/Jul/66
Vulnerability was reported (1) day ago. 1.5.2 was released 20 days ago. jpegdatasrc.c has not been touched in over a year. This has not been patched.
This was reported on the github repo of upstream, seems as if this CVE is somehow wrongfully linked to them? https://github.com/libjpeg-turbo/libjpeg-turbo/issues/167#issuecomment-328582075 Which would explain the absence of any fix or commit in libjpeg-turbo's code.
ping...
According to the information from the link which I posted, the maintainer states that this is the result of an abuse of the ABI and the whole CVE is invalid. Feel free to double check his statement.
CVE was wrongly assigned to libjpeg-turbo.