{"id":"CVE-2019-20326","details":"A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg() in extensions/cairo_io/cairo-image-surface-jpeg.c in GNOME gThumb before 3.8.3 and Linux Mint Pix before 2.4.5 allows attackers to cause a crash and potentially execute arbitrary code via a crafted JPEG file.","modified":"2026-04-16T01:49:19.634377065Z","published":"2020-03-16T22:15:14.590Z","database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"9.0"}],"source":"CPE_FIELD"}]},"references":[{"type":"ADVISORY","url":"https://gitlab.gnome.org/GNOME/gthumb/commit/ca8f528209ab78935c30e42fe53bdf1a24f3cb44"},{"type":"ADVISORY","url":"https://gitlab.gnome.org/GNOME/gthumb/commits/master/extensions/cairo_io/cairo-image-surface-jpeg.c"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/08/msg00027.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202008-05"},{"type":"FIX","url":"https://gitlab.gnome.org/GNOME/gthumb/commit/4faa5ce2358812d23a1147953ee76f59631590ad"},{"type":"EVIDENCE","url":"https://github.com/Fysac/CVE-2019-20326"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gnome/gthumb","events":[{"introduced":"0"},{"fixed":"ca8f528209ab78935c30e42fe53bdf1a24f3cb44"}],"database_specific":{"cpe":"cpe:2.3:a:gnome:gthumb:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"3.8.3"}],"source":"CPE_FIELD"}}],"versions":["2.13.2","2.13.3","2.13.90","2.13.91","2.90.1","2.90.2","2.90.3","3.0.0","3.0.1","3.1.1","3.1.2","3.1.3","3.1.4","3.2.0","3.3.2","3.3.3","3.3.4","3.4.0","3.4.1","3.5.1","3.5.2","3.5.3","3.5.4","3.6.0","3.6.1","3.7.1","3.7.2","3.8.0","3.8.1","3.8.2","GTHUMB_2_10_0","GTHUMB_2_10_1","GTHUMB_2_11_1","GTHUMB_2_11_2","GTHUMB_2_11_2_1","GTHUMB_2_11_3","GTHUMB_2_11_4","GTHUMB_2_11_5","GTHUMB_2_11_6","GTHUMB_2_11_90","GTHUMB_2_11_91","GTHUMB_2_11_92","GTHUMB_2_12_0","GTHUMB_2_13_1","GTHUMB_2_4_0","GTHUMB_2_7_3","GTHUMB_2_7_4","GTHUMB_2_7_5","GTHUMB_2_7_5_1","GTHUMB_2_7_6","GTHUMB_2_7_7","GTHUMB_2_7_8","GTHUMB_2_7_9","GTHUMB_2_9_1","GTHUMB_2_9_2","GTHUMB_2_9_3","start"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-20326.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/linuxmint/pix","events":[{"introduced":"0"},{"fixed":"60e4d161aa6c58b5355bc285a6d0a06ee04a4991"}],"database_specific":{"cpe":"cpe:2.3:a:linuxmint:pix:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"2.4.5"}],"source":"CPE_FIELD"}}],"versions":["1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.2.0","1.2.1","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.6.0","1.6.1","1.6.2","1.8.0","1.8.1","1.8.2","2.0.0","2.0.1","2.0.2","2.0.3","2.2.0","2.2.1","2.4.0","2.4.1","2.4.2","2.4.3","2.4.4","master.mint18"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-20326.json"}},{"ranges":[{"type":"GIT","repo":"https://gitlab.gnome.org/GNOME/gthumb","events":[{"introduced":"0"},{"fixed":"4faa5ce2358812d23a1147953ee76f59631590ad"},{"fixed":"ca8f528209ab78935c30e42fe53bdf1a24f3cb44"}],"database_specific":{"source":"REFERENCES"}}],"versions":["2.13.2","2.13.3","2.13.90","2.13.91","2.90.1","2.90.2","2.90.3","3.0.0","3.0.1","3.1.1","3.1.2","3.1.3","3.1.4","3.2.0","3.3.2","3.3.3","3.3.4","3.4.0","3.4.1","3.5.1","3.5.2","3.5.3","3.5.4","3.6.0","3.6.1","3.7.1","3.7.2","3.8.0","3.8.1","3.8.2","GTHUMB_2_10_0","GTHUMB_2_10_1","GTHUMB_2_11_1","GTHUMB_2_11_2","GTHUMB_2_11_2_1","GTHUMB_2_11_3","GTHUMB_2_11_4","GTHUMB_2_11_5","GTHUMB_2_11_6","GTHUMB_2_11_90","GTHUMB_2_11_91","GTHUMB_2_11_92","GTHUMB_2_12_0","GTHUMB_2_13_1","GTHUMB_2_4_0","GTHUMB_2_7_3","GTHUMB_2_7_4","GTHUMB_2_7_5","GTHUMB_2_7_5_1","GTHUMB_2_7_6","GTHUMB_2_7_7","GTHUMB_2_7_8","GTHUMB_2_7_9","GTHUMB_2_9_1","GTHUMB_2_9_2","GTHUMB_2_9_3","start"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-20326.json","vanir_signatures_modified":"2026-04-11T21:02:06Z","vanir_signatures":[{"signature_type":"Function","source":"https://gitlab.gnome.org/GNOME/gthumb@4faa5ce2358812d23a1147953ee76f59631590ad","target":{"file":"extensions/cairo_io/cairo-image-surface-jpeg.c","function":"_cairo_image_surface_create_from_jpeg"},"id":"CVE-2019-20326-6b08bd8c","signature_version":"v1","digest":{"function_hash":"190570146874380948005349743122422906983","length":8044},"deprecated":false},{"signature_type":"Line","source":"https://gitlab.gnome.org/GNOME/gthumb@4faa5ce2358812d23a1147953ee76f59631590ad","target":{"file":"extensions/cairo_io/cairo-image-surface-jpeg.c"},"id":"CVE-2019-20326-79793538","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["119438977438693461586803994384772530619","35480740089566270441978501549344572455","71838117151021891516671634119327474900","217176081343619004235656596112380682561","205033367727630419954142509132989122390","143010593354799700167530627847400656740","149320870513665802398502119708311684098","17475053439708773680783958071435119823","303870756471842143342079490926129850173","153048170157115873281206117439286798967","83624499265539377306288489177279371166","206214604271297775734010960376675665223","208741833267028193460264524786318343454","72645997754060486035610160453070481149","38131006209269867587344459051192266802","89972704049667351032153708917157786752","303870756471842143342079490926129850173","153048170157115873281206117439286798967","83624499265539377306288489177279371166","206214604271297775734010960376675665223","159633334276651413161869510554762467033","72645997754060486035610160453070481149","38131006209269867587344459051192266802","89972704049667351032153708917157786752","303870756471842143342079490926129850173","153048170157115873281206117439286798967","83624499265539377306288489177279371166","206214604271297775734010960376675665223","190849595097629602552183065200181229011","72645997754060486035610160453070481149","38131006209269867587344459051192266802","89972704049667351032153708917157786752","303870756471842143342079490926129850173","153048170157115873281206117439286798967","83624499265539377306288489177279371166","206214604271297775734010960376675665223","190849595097629602552183065200181229011","72645997754060486035610160453070481149","38131006209269867587344459051192266802","89972704049667351032153708917157786752","303870756471842143342079490926129850173","153048170157115873281206117439286798967","83624499265539377306288489177279371166","206214604271297775734010960376675665223","208741833267028193460264524786318343454","72645997754060486035610160453070481149","38131006209269867587344459051192266802","89972704049667351032153708917157786752"]},"deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}