Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 507254 (CVE-2013-6369) - <media-libs/jbigkit-2.1: "jbg_dec_in()" Buffer Overflow Vulnerability (CVE-2013-6369)
Summary: <media-libs/jbigkit-2.1: "jbg_dec_in()" Buffer Overflow Vulnerability (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2013-6369
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/57731
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-09 16:01 UTC by Agostino Sarubbo
Modified: 2014-05-18 13:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-09 16:01:17 UTC
From ${URL} :

Description

Red Hat Product Security Team has reported a vulnerability in JBIG-KIT, which can be exploited by 
malicious people to compromise an application using the library.

The vulnerability is caused due to a boundary error in the "jbg_dec_in()" function (jbig.c), which can be 
exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 2.1.


Solution:
Update to version 2.1.

Provided and/or discovered by:
Florian Weimer, Red Hat Product Security Team.

Original Advisory:
JBIG-KIT:
https://www.cl.cam.ac.uk/~mgk25/jbigkit/CHANGES

Red Hat Product Security Team:
https://bugzilla.redhat.com/show_bug.cgi?id=1032273


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2014-04-11 10:34:26 UTC
Please test and stabilize:

=media-libs/jbigkit-2.1
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-04-11 16:24:08 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2014-04-12 09:31:53 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-04-12 09:33:51 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-04-13 11:08:22 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-04-21 10:50:52 UTC
alpha stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-04-22 12:28:19 UTC
arm stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-04-29 20:10:48 UTC
CVE-2013-6369 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6369):
  Stack-based buffer overflow in the jbg_dec_in function in libjbig/jbig.c in
  JBIG-KIT before 2.1 allows remote attackers to cause a denial of service
  (application crash) and possibly execute arbitrary code via a crafted image
  file.
Comment 9 Agostino Sarubbo gentoo-dev 2014-05-11 08:06:14 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-05-13 15:21:41 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-05-14 16:11:46 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2014-05-15 03:06:51 UTC
Arches and Maintainer(s), Thank you for your work.

Added to new GLSA Request
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-05-18 13:11:41 UTC
This issue was resolved and addressed in
 GLSA 201405-20 at http://security.gentoo.org/glsa/glsa-201405-20.xml
by GLSA coordinator Mikle Kolyada (Zlogene).