A Heap-based buffer overflow was found in the way libjpeg-turbo decompressed certain corrupt JPEG images in which the component count was erroneously set to a large value. An attacker could create a specially-crafted JPEG image that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application. Patch: http://libjpeg-turbo.svn.sourceforge.net/viewvc/libjpeg-turbo?view=revision&revision=830 References: http://code.google.com/p/chromium/issues/detail?id=130240 https://bugzilla.mozilla.org/show_bug.cgi?id=759802
Acknowledgements: Red Hat would like to thank Chris Evans of the Google Security Team for reporting this issue. Upstream acknowledges Atte Kettunen as the original reporter
Created libjpeg-turbo tracking bugs for this issue Affects: fedora-all [bug 840719]
libjpeg-turbo-1.2.1-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.