Mozilla Foundation Security Advisory 2013-116

JPEG information leak

Announced
December 10, 2013
Reporter
Michal Zalewski
Impact
High
Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird
Fixed in
  • Firefox 26
  • Firefox ESR 24.2
  • SeaMonkey 2.23
  • Thunderbird 24.2

Description

Google security researcher Michal Zalewski reported issues with JPEG format image processing with Start Of Scan (SOS) and Define Huffman Table (DHT) markers in the libjpeg library. This could allow for the possible reading of arbitrary memory content as well as cross-domain image theft.

References