620202 – (CVE-2017-9216) <media-libs/jbig2dec-0.13-r2: Null pointer dereference in jbig2_huffman_get()

Bug 620202 (CVE-2017-9216) - <media-libs/jbig2dec-0.13-r2: Null pointer dereference in jbig2_huffman_get()

Summary: <media-libs/jbig2dec-0.13-r2: Null pointer dereference in jbig2_huffman_get()

Status:	RESOLVED FIXED

Alias:	CVE-2017-9216

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	A3 [stable blocked]
Keywords:

Depends on:	CVE-2017-7885, CVE-2017-7975, CVE-2017-7976
Blocks:
	Show dependency tree

Reported:	2017-05-30 14:35 UTC by Agostino Sarubbo
Modified:	2017-10-03 14:07 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-05-30 14:35:14 UTC

From ${URL} :

libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get function in jbig2_huffman.c. For example, the jbig2dec utility will 
crash (segmentation fault) when parsing an invalid file.

Upstream bug:

https://bugs.ghostscript.com/show_bug.cgi?id=697934

Upstream patch:

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3ebffb1d96ba0cacec23016eccb4047dab365853


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Andreas K. Hüttel archtester

2017-05-30 19:41:40 UTC

Let's wait a few days and then stabilize media-libs/jbig2dec-0.13-r2

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-03 15:04:21 UTC

@ Maintainer(s): Can you please pick patches from bug 616464 so that we will handle both bugs together?