Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 507254 (CVE-2013-6369)

Summary: <media-libs/jbigkit-2.1: "jbg_dec_in()" Buffer Overflow Vulnerability (CVE-2013-6369)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: graphics+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/57731
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-04-09 16:01:17 UTC 
From ${URL} :

Description

Red Hat Product Security Team has reported a vulnerability in JBIG-KIT, which can be exploited by 
malicious people to compromise an application using the library.

The vulnerability is caused due to a boundary error in the "jbg_dec_in()" function (jbig.c), which can be 
exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 2.1.


Solution:
Update to version 2.1.

Provided and/or discovered by:
Florian Weimer, Red Hat Product Security Team.

Original Advisory:
JBIG-KIT:
https://www.cl.cam.ac.uk/~mgk25/jbigkit/CHANGES

Red Hat Product Security Team:
https://bugzilla.redhat.com/show_bug.cgi?id=1032273


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2014-04-11 10:34:26 UTC 
Please test and stabilize:

=media-libs/jbigkit-2.1
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-04-11 16:24:08 UTC 
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2014-04-12 09:31:53 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-04-12 09:33:51 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-04-13 11:08:22 UTC 
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-04-21 10:50:52 UTC 
alpha stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-04-22 12:28:19 UTC 
arm stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-04-29 20:10:48 UTC 
CVE-2013-6369 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6369):
  Stack-based buffer overflow in the jbg_dec_in function in libjbig/jbig.c in
  JBIG-KIT before 2.1 allows remote attackers to cause a denial of service
  (application crash) and possibly execute arbitrary code via a crafted image
  file.
Comment 9 Agostino Sarubbo gentoo-dev 2014-05-11 08:06:14 UTC 
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-05-13 15:21:41 UTC 
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-05-14 16:11:46 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2014-05-15 03:06:51 UTC 
Arches and Maintainer(s), Thank you for your work.

Added to new GLSA Request
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-05-18 13:11:41 UTC 
This issue was resolved and addressed in
 GLSA 201405-20 at http://security.gentoo.org/glsa/glsa-201405-20.xml
by GLSA coordinator Mikle Kolyada (Zlogene).