CVE-2019-2201

CVE-2019-2201

Name

CVE-2019-2201

Description

In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-120551338

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Vendor Advisory	https://source.android.com/security/bulletin/2019-11-01
Third Party Advisory	https://usn.ubuntu.com/4190-1/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y4QPASQPZO644STRFTLOD35RIRGWWRNI/
SUSE	http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00047.html
SUSE	http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00048.html
GENTOO	https://security.gentoo.org/glsa/202003-23
MLIST	https://lists.apache.org/thread.html/rc800763a88775ac9abb83b3402bcd0913d41ac65fdfc759af38f2280@%3Ccommits.mxnet.apache.org%3E

Type

URI

Vendor Advisory

https://source.android.com/security/bulletin/2019-11-01

Third Party Advisory

https://usn.ubuntu.com/4190-1/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y4QPASQPZO644STRFTLOD35RIRGWWRNI/

SUSE

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00047.html

SUSE

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00048.html

GENTOO

https://security.gentoo.org/glsa/202003-23

MLIST

https://lists.apache.org/thread.html/rc800763a88775ac9abb83b3402bcd0913d41ac65fdfc759af38f2280@%3Ccommits.mxnet.apache.org%3E

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:o:google:android:8.0:::::::*`	android	== None	== 8.0
`cpe:2.3:o:google:android:8.1:::::::*`	android	== None	== 8.1
`cpe:2.3:o:google:android:9.0:::::::*`	android	== None	== 9.0
`cpe:2.3:o:google:android:10.0:::::::*`	android	== None	== 10.0

CPE URI

Source package

Min version

Max version

cpe:2.3:o:google:android:8.0:*:*:*:*:*:*:*

android

== None

== 8.0

cpe:2.3:o:google:android:8.1:*:*:*:*:*:*:*

android

== None

== 8.1

cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*

android

== None

== 9.0

cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:*

android

== None

== 10.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
libjpeg-turbo	edge-main	2.0.4-r0	None	fixed
libjpeg-turbo	3.22-main	2.0.4-r0	None	fixed
libjpeg-turbo	3.21-main	2.0.4-r0	None	fixed
libjpeg-turbo	3.20-main	2.0.4-r0	None	fixed
libjpeg-turbo	3.19-main	2.0.4-r0	None	fixed
libjpeg-turbo	3.18-main	2.0.4-r0	None	fixed
libjpeg-turbo	3.17-main	2.0.4-r0	None	fixed
libjpeg-turbo	3.12-main	2.0.4-r0	None	fixed
libjpeg-turbo	3.11-main	2.0.4-r0	None	fixed
libjpeg-turbo	3.10-main	2.0.4-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

libjpeg-turbo

edge-main

2.0.4-r0

None

fixed

libjpeg-turbo

3.22-main