From ${URL} : [15] Fixed an extremely rare bug that could cause the Huffman encoder's local buffer to overrun when a very high-frequency MCU is compressed using quality 100 and no subsampling, and when the JPEG output buffer is being dynamically resized by the destination manager. This issue was so rare that, even with a test program specifically designed to make the bug occur (by injecting random high-frequency YUV data into the compressor), it was reproducible only once in about every 25 million iterations. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
We have 1.4.2 in the tree... but I don't know if it's ready for stabilization :/
Any updates on this??? Holding up a GLSA.
(In reply to Pacho Ramos from comment #1) > We have 1.4.2 in the tree... but I don't know if it's ready for > stabilization :/ go ahead and stabilize, there are no regressions that I am aware of at this time.
Arches, please test and mark stable: =media-libs/libjpeg-turbo-1.4.2 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Thank you!
amd64 stable
x86 stable
sparc stable
Stable for HPPA PPC64.
ppc stable
arm stable
alpha stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work. Added to an existing GLSA Request. Maintainer(s), please drop the vulnerable version(s).
(In reply to Yury German from comment #13) > Arches, Thank you for your work. > Added to an existing GLSA Request. > > Maintainer(s), please drop the vulnerable version(s). Done: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcd7c70dc22c55d74cfcfb75b3acc8c68120cca3
This issue was resolved and addressed in GLSA 201606-03 at https://security.gentoo.org/glsa/201606-03 by GLSA coordinator Yury German (BlueKnight)