From ${URL} : Below issue was reported at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779849: """ jbig2dec crashes on the attached file: $ ./jbig2dec crash.jb2 jbig2dec WARNING No OOB signalling end of height class 2 (segment 0x00) *** Error in `/home/jwilk/jbig2dec-0.11+20120125/.libs/lt-jbig2dec': free(): invalid pointer: 0x08b98240 *** Aborted Rebuilding the package with "-fsanitize=address" reveals that the root cause is a heap-based buffer overflow: $ ./jbig2dec crash.jb2 ================================================================= ==4112==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4303f6c at pc 0xf726b146 bp 0xff8eccc8 sp 0xff8eccbc WRITE of size 4 at 0xf4303f6c thread T0 #0 0xf726b145 in jbig2_decode_symbol_dict /home/jwilk/jbig2dec-0.11+20120125/jbig2_symbol_dict.c:626 #1 0xf726b145 in jbig2_symbol_dictionary /home/jwilk/jbig2dec-0.11+20120125/jbig2_symbol_dict.c:1054 #2 0xf7263cd0 in jbig2_parse_segment /home/jwilk/jbig2dec-0.11+20120125/jbig2_segment.c:251 #3 0xf725d598 in jbig2_data_in /home/jwilk/jbig2dec-0.11+20120125/jbig2.c:356 #4 0x80499d5 in main /home/jwilk/jbig2dec-0.11+20120125/jbig2dec.c:449 #5 0xf7035a62 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62) #6 0x804a6eb (/home/jwilk/jbig2dec-0.11+20120125/.libs/lt-jbig2dec+0x804a6eb) 0xf4303f6c is located 0 bytes to the right of 7788-byte region [0xf4302100,0xf4303f6c) allocated by thread T0 here: #0 0xf72e16e4 in malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e6e4) #1 0xf725c237 in jbig2_default_alloc /home/jwilk/jbig2dec-0.11+20120125/jbig2.c:35 """ No patch for this issue is available yet. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Pull request for new version fixing this issue: https://github.com/gentoo/gentoo/pull/2436
FTR I'm hesitating on how to proceed here, since jbig2dec-0.11 is GPL-3, but jbig2dec-0.13 is AGPL-3+.
Ah well let's just do it. Arches please stabilize, target: all stable arches =media-libs/jbig2dec-0.13
amd64 stable
Stable for HPPA.
x86 stable
ia64 stable
Arches please proceed in bug 607188
Vulnerable versions removed
Nothing to do for graphics here anymore.
This issue was resolved and addressed in GLSA 201706-24 at https://security.gentoo.org/glsa/201706-24 by GLSA coordinator Kristian Fiskerstrand (K_F).