Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 545234 - <media-libs/jbig2dec-0.13: heap-based buffer overflow in jbig2_decode_symbol_dict()
Summary: <media-libs/jbig2dec-0.13: heap-based buffer overflow in jbig2_decode_symbol_...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
Depends on: CVE-2016-9601
Blocks:
  Show dependency tree
 
Reported: 2015-04-01 14:16 UTC by Agostino Sarubbo
Modified: 2017-06-22 18:36 UTC (History)
0 users

See Also:
Package list:
=media-libs/jbig2dec-0.13
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-04-01 14:16:21 UTC
From ${URL} :

Below issue was reported at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779849:
"""
jbig2dec crashes on the attached file:

$ ./jbig2dec crash.jb2
jbig2dec WARNING No OOB signalling end of height class 2 (segment 0x00)
*** Error in `/home/jwilk/jbig2dec-0.11+20120125/.libs/lt-jbig2dec': free(): invalid pointer: 0x08b98240 ***
Aborted

Rebuilding the package with "-fsanitize=address" reveals that the root 
cause is a heap-based buffer overflow:

$ ./jbig2dec crash.jb2
=================================================================
==4112==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4303f6c at pc 0xf726b146 bp 0xff8eccc8 sp 0xff8eccbc
WRITE of size 4 at 0xf4303f6c thread T0
   #0 0xf726b145 in jbig2_decode_symbol_dict /home/jwilk/jbig2dec-0.11+20120125/jbig2_symbol_dict.c:626
   #1 0xf726b145 in jbig2_symbol_dictionary /home/jwilk/jbig2dec-0.11+20120125/jbig2_symbol_dict.c:1054
   #2 0xf7263cd0 in jbig2_parse_segment /home/jwilk/jbig2dec-0.11+20120125/jbig2_segment.c:251
   #3 0xf725d598 in jbig2_data_in /home/jwilk/jbig2dec-0.11+20120125/jbig2.c:356
   #4 0x80499d5 in main /home/jwilk/jbig2dec-0.11+20120125/jbig2dec.c:449
   #5 0xf7035a62 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)
   #6 0x804a6eb (/home/jwilk/jbig2dec-0.11+20120125/.libs/lt-jbig2dec+0x804a6eb)

0xf4303f6c is located 0 bytes to the right of 7788-byte region [0xf4302100,0xf4303f6c)
allocated by thread T0 here:
   #0 0xf72e16e4 in malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e6e4)
   #1 0xf725c237 in jbig2_default_alloc /home/jwilk/jbig2dec-0.11+20120125/jbig2.c:35
"""

No patch for this issue is available yet.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Felix Janda 2016-09-30 01:32:33 UTC
Pull request for new version fixing this issue:

https://github.com/gentoo/gentoo/pull/2436
Comment 2 Andreas K. Hüttel gentoo-dev 2017-02-17 21:34:04 UTC
FTR I'm hesitating on how to proceed here, since jbig2dec-0.11 is GPL-3, but jbig2dec-0.13 is AGPL-3+.
Comment 3 Andreas K. Hüttel gentoo-dev 2017-02-17 21:38:53 UTC
Ah well let's just do it.

Arches please stabilize, target: all stable arches

=media-libs/jbig2dec-0.13
Comment 4 Agostino Sarubbo gentoo-dev 2017-02-18 13:29:13 UTC
amd64 stable
Comment 5 Jeroen Roovers gentoo-dev 2017-02-18 13:42:55 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2017-02-18 14:33:56 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-02-18 14:44:36 UTC
ia64 stable
Comment 8 Andreas K. Hüttel gentoo-dev 2017-02-19 17:54:01 UTC
Arches please proceed in bug 607188
Comment 9 Andreas K. Hüttel gentoo-dev 2017-03-11 18:10:09 UTC
Vulnerable versions removed
Comment 10 Andreas K. Hüttel gentoo-dev 2017-06-09 23:29:55 UTC
Nothing to do for graphics here anymore.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2017-06-22 18:36:10 UTC
This issue was resolved and addressed in
 GLSA 201706-24 at https://security.gentoo.org/glsa/201706-24
by GLSA coordinator Kristian Fiskerstrand (K_F).