A heap-buffer overflow caused by integer overflow was found in ghostscript's jbig2dec-0.13 (a decoder implementation of the JBIG2 image compression format). The vulnerability is caused by an Addition-1 integer overflow. The overflowed value is passed to function ‘malloc’ as the SIZE parameter and a buffer with zero size is allocated. Later, out-of-bound read/write can happen when accessing the buffer. Whether it’s an out-of-bound read vulnerability or out-of-bound write can be controlled by crafting the input .jb2 file. The vulnerability can cause Denial-of-Service or possibly corrupt some memory data. Upstream bug: https://bugs.ghostscript.com/show_bug.cgi?id=697457 Upstream patch: http://git.ghostscript.com/?p=jbig2dec.git;a=commitdiff;h=e698d5c11d27212aa1098bc5b1673a3378563092 @ Maintainer(s): Please rev bump and cherry-pick the patch.
According to https://bugs.ghostscript.com/show_bug.cgi?id=697457#c12 upstream is planning release not before March 2017. That's why we are asking maintainer(s) for cherry-picking.
Arches please test and stabilize, target all stable arches =media-libs/jbig2dec-0.13-r1
An automated check of this bug failed - the following atom is unknown: media-libs/jbig2dec-0.13-r1 Please verify the atom list.
Stable on alpha.
Stable for HPPA.
amd64 stable
x86 stable
ppc64 stable.
ppc stable
sparc stable
arm stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Vulnerable versions removed
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
Nothing to do for graphics here anymore.
This issue was resolved and addressed in GLSA 201706-24 at https://security.gentoo.org/glsa/201706-24 by GLSA coordinator Kristian Fiskerstrand (K_F).