The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of libjpeg: information disclosure via get_sos

Synthesis of the vulnerability 

An attacker can bypass access restrictions to data with get_sos() of libjpeg, in order to obtain sensitive information.
Vulnerable systems: Debian, BIG-IP Hardware, TMOS, Fedora, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 2016, Windows 7, Windows 8, Windows RT, Windows Vista, openSUSE, RHEL, Slackware.
Severity of this threat: 2/4.
Creation date: 19/02/2016.
Références of this weakness: CVE-2013-6629, DSA-2797-1, FEDORA-2013-23722, FEDORA-2013-23749, FEDORA-2014-6859, FEDORA-2014-6870, MDVSA-2013:273, MDVSA-2013:274, openSUSE-SU-2013:1776-1, openSUSE-SU-2013:1777-1, openSUSE-SU-2014:0065-1, RHSA-2013:1803-01, RHSA-2013:1804-01, SOL59503294, SSA:2013-350-02, VIGILANCE-VUL-18980.

Description of the vulnerability 

An attacker can bypass access restrictions to data with get_sos() of libjpeg, in order to obtain sensitive information.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness impacts software or systems such as Debian, BIG-IP Hardware, TMOS, Fedora, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 2016, Windows 7, Windows 8, Windows RT, Windows Vista, openSUSE, RHEL, Slackware.

Our Vigil@nce team determined that the severity of this vulnerability announce is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this threat bulletin.

Solutions for this threat 

Debian: new chromium-browser packages.
New packages are available:
  chromium-browser 31.0.1650.57-1~deb7u1

F5 BIG-IP: fixed versions for libjpeg.
Fixed versions are indicated in information sources.

Fedora: new libjpeg-turbo packages.
New packages are available:
  libjpeg-turbo-1.2.90-3.fc19
  libjpeg-turbo-1.3.0-2.fc20

Fedora: new mingw-libjpeg-turbo packages.
New packages are available:
  Fedora 19: mingw-libjpeg-turbo 1.3.1-1.fc19
  Fedora 20: mingw-libjpeg-turbo 1.3.1-1.fc20

Mandriva BS: new libjpeg packages.
New packages are available:
  libjpeg-1.2.0-5.2.mbs1

Mandriva ES: new libjpeg packages.
New packages are available:
  libjpeg-6b-43.1mdvmes5.2

openSUSE 13.1: new chromium packages.
New packages are available:
  chromium-31.0.1650.63-13.7

openSUSE: new chromium packages.
New packages are available:
  openSUSE 12.2 : chromium-31.0.1650.57-1.54.1
  openSUSE 12.3 : chromium-31.0.1650.57-1.17.1

RHEL 5: new libjpeg packages.
New packages are available:
  libjpeg-6b-38

RHEL 6.5: new libjpeg-turbo packages.
New packages are available:
  libjpeg-turbo-1.2.1-3.el6_5

Slackware: new libjpeg packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/libjpeg-6b-i486-6_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/libjpeg-6b-x86_64-6_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/libjpeg-v8a-i486-2_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/libjpeg-v8a-x86_64-2_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/libjpeg-v8a-i486-2_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/libjpeg-v8a-x86_64-2_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/libjpeg-v8a-i486-2_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/libjpeg-v8a-x86_64-2_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/libjpeg-v8a-i486-2_slack14.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/libjpeg-v8a-x86_64-2_slack14.1.txz

Windows: patch.
A patch is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer vulnerability workaround. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.