Hi Bill, On Mon, Apr 04, 2016 at 09:10:16PM +0200, Bill Allombert wrote: > On Mon, Apr 04, 2016 at 02:35:03PM +0200, Salvatore Bonaccorso wrote: > > Source: libjpeg9 > > Version: 1:9b-1 > > Severity: important > > Tags: security upstream > > > > Hi, > > > > the following vulnerability was published for libjpeg9. The issue > > is in the cjpeg utility. > > > > CVE-2016-3616[0]: > > null pointer dereference in cjpeg > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > Hello Salvatore, > > Upstream has confirmed that only cjpeg is affected, and so > only libjpeg-progs and not the binary package libjpeg9.
Yes this is true, thus I have reported to the Source package since vulnerable code is present. Untested, but I guess the same patch applies as was for libjpeg-turbo to resolve the problem in the cjpeg utility. Thanks for quick followup and regards, Salvatore
