CVE-2020-13790: 
NixOS vulnerability analysis and mitigation

CVE-2020-13790 is a security vulnerability discovered in libjpeg-turbo version 2.0.4 and mozjpeg 4.0.0. The vulnerability was disclosed on June 3, 2020, and affects the get_rgb_row() function in rdppm.c. The issue involves a heap-based buffer over-read vulnerability that can be triggered via a malformed PPM input file (NVD, MITRE).

The vulnerability is specifically located in the get_rgb_row() function within the rdppm.c file. It manifests as a heap-based buffer over-read condition that can be triggered when processing malformed PPM input files. The issue occurs when handling binary PPM files with maximum values less than 255, which can lead to an overrun of the rescale array (GitHub Issue, GitHub Commit).

The vulnerability could allow attackers to access sensitive information through specially crafted PPM files. When exploited, the vulnerability could expose data from the application's memory, potentially revealing sensitive information to attackers (Ubuntu Notice, Gentoo Advisory).

The vulnerability has been patched in various distributions and versions. Ubuntu released updates for multiple versions (20.04, 19.10, 18.04, 16.04, 14.04, and 12.04). Fedora provided fixes in version 2.0.4-3.fc32. Debian released version 1:1.5.1-2+deb9u1 for Debian 9 stretch. Users are advised to update to the patched versions through their system's standard update mechanisms (Ubuntu Notice, Fedora Update).