blob: a9a2921fc5bb5815706d7cc0de0761bfb5ccc380 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200606-11">
<title>JPEG library: Denial of Service</title>
The JPEG library is vulnerable to a Denial of Service.
<product type="ebuild">jpeg</product>
<announced>June 11, 2006</announced>
<revised>July 29, 2006: 02</revised>
<package name="media-libs/jpeg" auto="yes" arch="*">
<unaffected range="ge">6b-r7</unaffected>
<vulnerable range="lt">6b-r7</vulnerable>
The JPEG library is able to load, handle and manipulate images in the
JPEG format.
Tavis Ormandy of the Gentoo Linux Auditing Team discovered that the
vulnerable JPEG library ebuilds compile JPEG without the --maxmem
feature which is not recommended.
<impact type="normal">
By enticing a user to load a specially crafted JPEG image file an
attacker could cause a Denial of Service, due to memory exhaustion.
There is no known workaround at this time.
JPEG users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=media-libs/jpeg-6b-r7&quot;</code>
<uri link="">CVE-2006-3005</uri>
<metadata tag="requester" timestamp="Mon, 05 Jun 2006 22:15:44 +0000">
<metadata tag="bugReady" timestamp="Mon, 05 Jun 2006 22:17:08 +0000">
<metadata tag="submitter" timestamp="Tue, 06 Jun 2006 08:58:39 +0000">