{"id":"CVE-2020-13790","details":"libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.","modified":"2026-04-16T00:06:36.606944240Z","published":"2020-06-03T19:15:10.817Z","related":["ALSA-2025:7540","SUSE-SU-2020:2569-1","SUSE-SU-2020:2570-1","openSUSE-SU-2020:1413-1","openSUSE-SU-2020:1458-1","openSUSE-SU-2024:10952-1"],"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00031.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00062.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00033.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P4D6KNUY7YANSPH7SVQ44PJKSABFKAUB/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6563YHSVZK24MPJXGJVK3CQG7JVWZGK/"},{"type":"WEB","url":"https://usn.ubuntu.com/4386-1/"},{"type":"ADVISORY","url":"https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a"},{"type":"ADVISORY","url":"https://github.com/libjpeg-turbo/libjpeg-turbo/issues/433"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202010-03"},{"type":"FIX","url":"https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a"},{"type":"EVIDENCE","url":"https://github.com/libjpeg-turbo/libjpeg-turbo/issues/433"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libjpeg-turbo/libjpeg-turbo","events":[{"introduced":"0"},{"fixed":"3de15e0c344d11d4b90f4a47136467053eb2d09a"}]}],"versions":["0.0.90","0.0.91","0.0.93","1.0.0","1.0.1","1.0.90","1.1.0","1.1.1","1.1.90","1.2.0","1.2.1","1.2.90","1.3.0","1.3.1","1.3.90","1.4.0","1.4.1","1.4.2","1.4.90","1.5.0","1.5.1","1.5.2","1.5.3","1.5.90","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","jpeg-1","jpeg-2","jpeg-3","jpeg-4","jpeg-4a","jpeg-5","jpeg-5a","jpeg-5b","jpeg-6","jpeg-6a","jpeg-6b","jpeg-6bx","jpeg-7","jpeg-8","jpeg-8a","jpeg-8b","jpeg-8c","jpeg-8d","jpeg-9","jpeg-9a","jpeg-9b","jpeg-ari"],"database_specific":{"vanir_signatures":[{"target":{"file":"rdppm.c"},"deprecated":false,"id":"CVE-2020-13790-4163c7b5","source":"https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["279960956856796919083660656941318470986","339143231265080250257308579932503053796","131917594966023431801087663642952665251","156807076211336174187134914508724087246","333061502291305840284261457804340431451"]},"signature_version":"v1"},{"deprecated":false,"target":{"file":"rdppm.c","function":"start_input_ppm"},"id":"CVE-2020-13790-ae5bae3c","source":"https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a","signature_type":"Function","digest":{"function_hash":"100417613708608266563647517534113762204","length":4668},"signature_version":"v1"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13790.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"}]}