Summary: | media-libs/libjpeg-turbo: Denial of Service (CVE-2017-9614) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Aleksandr Wagner (Kivak) <alwag> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | anarchy, graphics+disabled, leio |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [upstream cve] | ||
Package list: | Runtime testing required: | --- |
Description
Aleksandr Wagner (Kivak)
2017-07-27 07:54:21 UTC
Vulnerability was reported (1) day ago. 1.5.2 was released 20 days ago. jpegdatasrc.c has not been touched in over a year. This has not been patched. This was reported on the github repo of upstream, seems as if this CVE is somehow wrongfully linked to them? https://github.com/libjpeg-turbo/libjpeg-turbo/issues/167#issuecomment-328582075 Which would explain the absence of any fix or commit in libjpeg-turbo's code. ping... According to the information from the link which I posted, the maintainer states that this is the result of an abuse of the ABI and the whole CVE is invalid. Feel free to double check his statement. CVE was wrongly assigned to libjpeg-turbo. |