Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 616464 (CVE-2017-7885, CVE-2017-7975, CVE-2017-7976) - <media-libs/jbig2dec-0.13-r4 : multiple integer overflow
Summary: <media-libs/jbig2dec-0.13-r4 : multiple integer overflow
Alias: CVE-2017-7885, CVE-2017-7975, CVE-2017-7976
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa cve]
Depends on:
Blocks: CVE-2017-9216
  Show dependency tree
Reported: 2017-04-24 11:35 UTC by Agostino Sarubbo
Modified: 2017-10-03 14:07 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-04-24 11:35:47 UTC

jbig2dec has a heap-based buffer over-read leading to denial of service (application crash) because of an integer overflow in the jbig2_decode_symbol_dict function in 
jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.
Upstream bug:


Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c during 
operations on a crafted JBIG2 file, leading to a denial of service (application crash) or possibly execution of arbitrary code.
Upstream bug:

Artifex jbig2dec allows out-of-bounds writes and reads because of an integer overflow in the jbig2_image_compose function in jbig2_image.c during operations on a crafted .jb2 file, 
leading to a denial of service (application crash).
Upstream bug:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2017-06-09 23:50:28 UTC
Patched in our -r3.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2017-06-11 21:22:21 UTC
(In reply to Andreas K. Hüttel from comment #2)
> Patched in our -r3.

Nope, there was a stray # in the ebuild. 

Patched in our -r4.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-06-12 04:33:51 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2017-06-17 13:52:19 UTC
Please stabilize media-libs/jbig2dec-0.13-r4 (all stable arches)
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-17 17:26:12 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-18 14:02:14 UTC
amd64 stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-20 14:58:21 UTC
Stable on alpha.
Comment 9 Agostino Sarubbo gentoo-dev 2017-06-21 11:58:41 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-06-21 12:18:02 UTC
ppc64 stable
Comment 11 Markus Meier gentoo-dev 2017-06-23 04:38:04 UTC
arm stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-24 21:52:28 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2017-07-07 09:08:19 UTC
sparc stable
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2017-08-10 07:57:49 UTC
Arches or maintainers please stabilize for hppa ASAP. Security will release GLSA for this in 7 days with or without hppa arch being stable.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-08-26 14:54:55 UTC
This issue was resolved and addressed in
 GLSA 201708-10 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2017-08-26 14:57:07 UTC
@maintainer(s), reopening for cleanup.  HPPA is still pending stable as well.  Please drop vulnerable versions from the tree.  If you so choose, please drop hppa support during cleanup.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2017-10-02 04:40:34 UTC
Slyfox, this is holding up a security bug. Please stabilize or drop from stable keywords for hppa.
Comment 18 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-03 08:42:46 UTC
hppa stable
Comment 19 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-03 14:07:27 UTC
Thank you all,

Closing as GLSA was already released.

Gentoo Security Padawan