On Mon, Oct 16, 2017 at 01:44:14PM +0200, Ola Lundqvist wrote: > Hi > > Sorry. Wrong year in the CVE. > > The correct CVE is CVE-2017-15232. Yes, I finally found it. Any evidence it affects libjpeg ? For all I see it relies on code added to libjpeg-turbo. To start with, djpeg in wheezy lacks the -crop option. Cheers, -- Bill. <ballombe@debian.org> Imagine a large red swirl here.