CVE-2020-17541 log

Source
Severity Low
Remote Yes
Type Arbitrary code execution
Description
libjpeg-turbo before version 2.0.4 has a stack-based buffer overflow in the "transform" component. A remote attacker can send a malformed jpeg file to the service and cause arbitrary code execution or denial of service of the target service.

Note: according to upstream: "Given that the buffer overrun was fully contained within the stack and did not cause a segfault or other user-visible errant behavior, and given that the lossless transformer (unlike the decompressor) is not generally exposed to arbitrary data exploits, this issue did not likely pose a security risk.
Group Package Affected Fixed Severity Status Ticket
AVG-2021 lib32-libjpeg6-turbo 1.5.3-2 Low Vulnerable
AVG-2020 libjpeg6-turbo 1.5.3-2 Low Vulnerable
References
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/392
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c76f4a08263b0cea40d2967560ac7c21f6959079