On Mon, Oct 16, 2017 at 01:54:34PM +0200, Bill Allombert wrote: > On Mon, Oct 16, 2017 at 01:44:14PM +0200, Ola Lundqvist wrote: > > Hi > > > > Sorry. Wrong year in the CVE. > > > > The correct CVE is CVE-2017-15232. > > Yes, I finally found it. Any evidence it affects libjpeg ? For all I > see it relies on code added to libjpeg-turbo. > To start with, djpeg in wheezy lacks the -crop option.
The upstream maintainer of libjpeg confirmed to me that this CVE do not apply to any IJG libjpeg libraries. Cheers, -- Bill. <[email protected]> Imagine a large red swirl here.
