Vulnerability Details : CVE-2013-6629
The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.
Vulnerability category: Information leak
Products affected by CVE-2013-6629
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:18:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
- cpe:2.3:a:artifex:gpl_ghostscript:*:*:*:*:*:*:*:*
- cpe:2.3:a:libjpeg-turbo:libjpeg-turbo:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-6629
0.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-6629
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2013-6629
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-6629
-
http://www-01.ibm.com/support/docview.wss?uid=swg21672080
IBM Security Bulletin: InfoSphere Streams is possibly affected by vulnerabilities in the IBM® SDK, Java™ Technology Edition (CVE-2014-0453 and CVE-2014-0460)Third Party Advisory
-
http://support.apple.com/kb/HT6162
About the security content of iOS 7.1 - Apple SupportThird Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2013-12/msg00120.html
openSUSE-SU-2013:1958-1: moderate: update for MozillaThunderbirdMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00026.html
[security-announce] openSUSE-SU-2013:1777-1: important: chromium: updateMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2013-12/msg00087.html
openSUSE-SU-2013:1918-1: moderate: update for MozillaFirefoxMailing List;Third Party Advisory
-
http://marc.info/?l=bugtraq&m=140852886808946&w=2
'[security bulletin] HPSBUX03091 SSRT101667 rev.1 - HP-UX running Java7, Remote Unauthorized Access, ' - MARCIssue Tracking;Mailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2013-12/msg00121.html
openSUSE-SU-2013:1959-1: moderate: update for MozillaThunderbirdMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2014:0414
RHSA-2014:0414 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
Oracle Critical Patch Update - April 2014Third Party Advisory
-
http://www.ubuntu.com/usn/USN-2053-1
USN-2053-1: Thunderbird vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2014-01/msg00042.html
openSUSE-SU-2014:0065-1: moderate: update for chromiumMailing List;Third Party Advisory
-
https://www.ibm.com/support/docview.wss?uid=swg21675973
IBM Security Bulletin: Multiple vulnerabilities in IBM SDK for Java included with IBM Forms ViewerThird Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123437.html
[SECURITY] Fedora 19 Update: firefox-26.0-2.fc19Mailing List;Third Party Advisory
-
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
Juniper Networks - 2015-10 Security Bulletin: CTPView: Multiple Vulnerabilities in CTPViewThird Party Advisory
-
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Oracle Solaris Bulletin - April 2016Third Party Advisory
-
http://support.apple.com/kb/HT6163
About the security content of Apple TV 6.1 - Apple SupportThird Party Advisory
-
http://archives.neohapsis.com/archives/fulldisclosure/2013-11/0080.html
Broken Link
-
https://security.gentoo.org/glsa/201606-03
libjpeg-turbo: Multiple vulnerabilities (GLSA 201606-03) — Gentoo securityThird Party Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:273
mandriva.comBroken Link
-
http://www.mozilla.org/security/announce/2013/mfsa2013-116.html
JPEG information leak — MozillaThird Party Advisory
-
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2013-6629
CVE-2013-6629 - Security Update Guide - Microsoft - libjpeg Information Disclosure VulnerabilityPatch;Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-1803.html
RHSA-2013:1803 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://code.google.com/p/chromium/issues/detail?id=258723
258723 - Security: JPEG info leak - chromium - MonorailIssue Tracking;Third Party Advisory
-
http://marc.info/?l=bugtraq&m=140852974709252&w=2
'[security bulletin] HPSBUX03092 SSRT101668 rev.1 - HP-UX running Java6, Remote Unauthorized Access, ' - MARCIssue Tracking;Mailing List;Third Party Advisory
-
http://bugs.ghostscript.com/show_bug.cgi?id=686980
686980 – stripes in pdfIssue Tracking;Vendor Advisory
-
http://lists.opensuse.org/opensuse-updates/2014-01/msg00002.html
openSUSE-SU-2014:0008-1: moderate: update for seamonkeyMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2013-12/msg00086.html
openSUSE-SU-2013:1917-1: moderate: update for MozillaFirefoxMailing List;Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-1804.html
RHSA-2013:1804 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://advisories.mageia.org/MGASA-2013-0333.html
Mageia Advisory: MGASA-2013-0333 - Updated libjpeg packages fix vulnerabilities in libjpeg-turboThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2014:0413
RHSA-2014:0413 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124257.html
[SECURITY] Fedora 20 Update: firefox-26.0-3.fc20Mailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2013-12/msg00119.html
openSUSE-SU-2013:1957-1: moderate: update for MozillaThunderbirdMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00002.html
[security-announce] openSUSE-SU-2013:1861-1: important: chromium: updateMailing List;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-2060-1
USN-2060-1: libjpeg, libjpeg-turbo vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.ubuntu.com/usn/USN-2052-1
USN-2052-1: Firefox vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www-01.ibm.com/support/docview.wss?uid=swg21676746
IBM Security Bulletin: IBM Lotus Expeditor fixes for multiple vulnerabilities in IBM JREBroken Link
-
http://support.apple.com/kb/HT6150
About the security content of OS X Mavericks v10.9.2 and Security Update 2014-001 - Apple SupportThird Party Advisory
-
http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html
Chrome Releases: Stable Channel UpdateVendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00025.html
[security-announce] openSUSE-SU-2013:1776-1: important: chromium: 31.0.1Mailing List;Third Party Advisory
-
http://www.debian.org/security/2013/dsa-2799
Debian -- Security Information -- DSA-2799-1 chromium-browserThird Party Advisory
-
http://www.securitytracker.com/id/1029476
Mozilla Seamonkey Multiple Flaws Let Remote Users Execute Arbitrary Code and Conduct Cross-Site Scripting Attacks - SecurityTrackerBroken Link;Third Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-updates/2013-12/msg00085.html
openSUSE-SU-2013:1916-1: moderate: update for MozillaFirefoxMailing List;Third Party Advisory
-
http://www.securityfocus.com/bid/63676
libjpeg/libjpeg-turbo Library CVE-2013-6629 Memory Corruption VulnerabilityBroken Link;Third Party Advisory;VDB Entry
-
http://lists.fedoraproject.org/pipermail/package-announce/2014-January/125470.html
[SECURITY] Fedora 18 Update: thunderbird-24.2.0-2.fc18Mailing List;Third Party Advisory
-
https://bugzilla.mozilla.org/show_bug.cgi?id=891693
891693 - (CVE-2013-6629) JPEG info leakIssue Tracking;Patch;Third Party Advisory
-
http://security.gentoo.org/glsa/glsa-201406-32.xml
IcedTea JDK: Multiple vulnerabilities (GLSA 201406-32) — Gentoo securityThird Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124108.html
[SECURITY] Fedora 19 Update: thunderbird-24.2.0-2.fc19Mailing List;Third Party Advisory
-
https://src.chromium.org/viewvc/chrome?revision=229729&view=revision
[chrome] Revision 229729Patch;Third Party Advisory
-
http://www.securitytracker.com/id/1029470
Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code and Conduct Cross-Site Scripting Attacks - SecurityTrackerBroken Link;Third Party Advisory;VDB Entry
Jump to