CVE-2013-6629
UnknownEPSS 10.12%
Last modified
CVE-2013-6629 is a vulnerability of currently unknown severity. The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.. EPSS estimates a 10.12% chance of exploitation in the next 30 days.
Description
The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Chrome | < 31.0.1650.48 | |
| Oracle | Solaris | 11.3 |
| Artifex | Gpl Ghostscript | < 9.03 |
| Libjpeg-Turbo | Libjpeg-Turbo | < 1.3.1 |
| Fedoraproject | Fedora | 18 |
| Fedoraproject | Fedora | 19 |
| Fedoraproject | Fedora | 20 |
| Opensuse | Opensuse | 12.2 |
| Opensuse | Opensuse | 12.3 |
| Opensuse | Opensuse | 13.1 |
| Canonical | Ubuntu Linux | 10.04 |
| Canonical | Ubuntu Linux | 12.04 |
| Canonical | Ubuntu Linux | 12.10 |
| Canonical | Ubuntu Linux | 13.04 |
| Canonical | Ubuntu Linux | 13.10 |
| Debian | Debian Linux | 7.0 |
| Debian | Debian Linux | 8.0 |
| Mozilla | Firefox | < 24.2 |
| Mozilla | Firefox | < 26.0 |
| Mozilla | Seamonkey | < 2.23 |
| Mozilla | Thunderbird | < 24.2.0 |
References
- http://advisories.mageia.org/MGASA-2013-0333.htmlThird Party Advisory
- http://bugs.ghostscript.com/show_bug.cgi?id=686980Issue Tracking, Vendor Advisory
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123437.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124108.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124257.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2014-January/125470.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00025.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00026.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00002.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00085.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00086.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00087.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00119.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00120.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00121.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00002.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00042.htmlMailing List, Third Party Advisory
- http://marc.info/?l=bugtraq&m=140852886808946&w=2Issue Tracking, Mailing List, Third Party Advisory
- http://marc.info/?l=bugtraq&m=140852974709252&w=2Issue Tracking, Mailing List, Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1803.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1804.htmlThird Party Advisory
- http://secunia.com/advisories/56175Not Applicable
- http://secunia.com/advisories/58974Not Applicable
- http://secunia.com/advisories/59058Not Applicable
- http://security.gentoo.org/glsa/glsa-201406-32.xmlThird Party Advisory
- http://support.apple.com/kb/HT6150Third Party Advisory
- http://support.apple.com/kb/HT6162Third Party Advisory
- http://support.apple.com/kb/HT6163Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21672080Third Party Advisory
- http://www.debian.org/security/2013/dsa-2799Third Party Advisory
- http://www.mozilla.org/security/announce/2013/mfsa2013-116.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.htmlThird Party Advisory
- http://www.securityfocus.com/bid/63676Broken Link, Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1029470Broken Link, Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1029476Broken Link, Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-2052-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-2053-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-2060-1Third Party Advisory
- https://access.redhat.com/errata/RHSA-2014:0413Third Party Advisory
- https://access.redhat.com/errata/RHSA-2014:0414Third Party Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=891693Issue Tracking, Patch, Third Party Advisory
- https://code.google.com/p/chromium/issues/detail?id=258723Issue Tracking, Third Party Advisory
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2013-6629Patch, Third Party Advisory
- https://security.gentoo.org/glsa/201606-03Third Party Advisory
- https://src.chromium.org/viewvc/chrome?revision=229729&view=revisionPatch, Third Party Advisory
- https://www.ibm.com/support/docview.wss?uid=swg21675973Third Party Advisory
- http://advisories.mageia.org/MGASA-2013-0333.htmlThird Party Advisory
- http://bugs.ghostscript.com/show_bug.cgi?id=686980Issue Tracking, Vendor Advisory
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123437.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124108.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124257.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2014-January/125470.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00025.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00026.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00002.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00085.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00086.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00087.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00119.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00120.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00121.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00002.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00042.htmlMailing List, Third Party Advisory
- http://marc.info/?l=bugtraq&m=140852886808946&w=2Issue Tracking, Mailing List, Third Party Advisory
- http://marc.info/?l=bugtraq&m=140852974709252&w=2Issue Tracking, Mailing List, Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1803.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1804.htmlThird Party Advisory
- http://secunia.com/advisories/56175Not Applicable
- http://secunia.com/advisories/58974Not Applicable
- http://secunia.com/advisories/59058Not Applicable
- http://security.gentoo.org/glsa/glsa-201406-32.xmlThird Party Advisory
- http://support.apple.com/kb/HT6150Third Party Advisory
- http://support.apple.com/kb/HT6162Third Party Advisory
- http://support.apple.com/kb/HT6163Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21672080Third Party Advisory
- http://www.debian.org/security/2013/dsa-2799Third Party Advisory
- http://www.mozilla.org/security/announce/2013/mfsa2013-116.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.htmlThird Party Advisory
- http://www.securityfocus.com/bid/63676Broken Link, Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1029470Broken Link, Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1029476Broken Link, Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-2052-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-2053-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-2060-1Third Party Advisory
- https://access.redhat.com/errata/RHSA-2014:0413Third Party Advisory
- https://access.redhat.com/errata/RHSA-2014:0414Third Party Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=891693Issue Tracking, Patch, Third Party Advisory
- https://code.google.com/p/chromium/issues/detail?id=258723Issue Tracking, Third Party Advisory
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2013-6629Patch, Third Party Advisory
- https://security.gentoo.org/glsa/201606-03Third Party Advisory
- https://src.chromium.org/viewvc/chrome?revision=229729&view=revisionPatch, Third Party Advisory
- https://www.ibm.com/support/docview.wss?uid=swg21675973Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2013-6629?
The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.
How severe is CVE-2013-6629?
Severity scoring for CVE-2013-6629 is pending analysis. The EPSS model estimates a 10.12% probability of exploitation in the next 30 days.
How do I fix CVE-2013-6629?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2013-6629?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST