Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 607188 (CVE-2016-9601)

Summary: <media-libs/jbig2dec-0.13-r1: Heap-buffer overflow due to Integer overflow in jbig2_image_new function
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal Flags: stable-bot: sanity-check+
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa cve]
Package list:
=media-libs/jbig2dec-0.13-r1
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 545234    

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-25 15:01:26 UTC 
A heap-buffer overflow caused by integer overflow was found in ghostscript's jbig2dec-0.13 (a decoder implementation of the JBIG2 image compression format). The vulnerability is caused by an Addition-1 integer overflow. The overflowed value is passed to function ‘malloc’ as the SIZE parameter and a buffer with zero size is allocated. Later, out-of-bound read/write can happen when accessing the buffer. Whether it’s an out-of-bound read vulnerability or out-of-bound write can be controlled by crafting the input .jb2 file. The vulnerability can cause Denial-of-Service or possibly corrupt some memory data.

Upstream bug:

https://bugs.ghostscript.com/show_bug.cgi?id=697457

Upstream patch:

http://git.ghostscript.com/?p=jbig2dec.git;a=commitdiff;h=e698d5c11d27212aa1098bc5b1673a3378563092


@ Maintainer(s): Please rev bump and cherry-pick the patch.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-25 15:06:45 UTC 
According to https://bugs.ghostscript.com/show_bug.cgi?id=697457#c12 upstream is planning release not before March 2017. That's why we are asking maintainer(s) for cherry-picking.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2017-02-19 17:52:17 UTC 
Arches please test and stabilize, target all stable arches

=media-libs/jbig2dec-0.13-r1
Comment 3 Stabilization helper bot gentoo-dev 2017-02-19 18:00:55 UTC 
An automated check of this bug failed - the following atom is unknown:

media-libs/jbig2dec-0.13-r1

Please verify the atom list.
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2017-02-21 11:55:54 UTC 
Stable on alpha.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2017-02-22 08:08:24 UTC 
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2017-02-22 15:08:23 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-02-22 16:10:37 UTC 
x86 stable
Comment 8 Michael Weber (RETIRED) gentoo-dev 2017-02-23 09:29:11 UTC 
ppc64 stable.
Comment 9 Agostino Sarubbo gentoo-dev 2017-02-24 14:08:33 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-02-25 10:05:03 UTC 
sparc stable
Comment 11 Markus Meier gentoo-dev 2017-02-28 17:31:55 UTC 
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-03-11 17:18:00 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Andreas K. Hüttel archtester gentoo-dev 2017-03-11 18:09:40 UTC 
Vulnerable versions removed
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2017-03-24 05:08:12 UTC 
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 15 Andreas K. Hüttel archtester gentoo-dev 2017-06-09 23:30:25 UTC 
Nothing to do for graphics here anymore.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2017-06-22 18:36:19 UTC 
This issue was resolved and addressed in
 GLSA 201706-24 at https://security.gentoo.org/glsa/201706-24
by GLSA coordinator Kristian Fiskerstrand (K_F).