Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 719730 (CVE-2020-12268) - <media-libs/jbig2dec-0.18: Buffer overflow in jbig2_image_compose (CVE-2020-12268)
Summary: <media-libs/jbig2dec-0.18: Buffer overflow in jbig2_image_compose (CVE-2020-1...
Status: RESOLVED FIXED
Alias: CVE-2020-12268
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-04-27 04:48 UTC by GLSAMaker/CVETool Bot
Modified: 2020-07-29 23:12 UTC (History)
2 users (show)

See Also:
Package list:
media-libs/jbig2dec-0.18
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-27 04:48:51 UTC 
CVE-2020-12268 (https://nvd.nist.gov/vuln/detail/CVE-2020-12268):
  jbig2_image_compose in jbig2_image.c in Artifex jbig2dec before 0.18 has a
  heap-based buffer overflow.


----
Note that 0.18 seems available on git but not mentioned on the site yet.
Comment 1 Larry the Git Cow gentoo-dev 2020-07-19 18:28:43 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c8aa035785724e5c7dad46b35c25500d4c7135a

commit 3c8aa035785724e5c7dad46b35c25500d4c7135a
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-19 18:28:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-19 18:28:16 +0000

    media-libs/jbig2dec: security bump to 0.18
    
    Bump to 0.18, but while we're here,
    add support for newer Pythons at build time.
    
    We include two additional upstream patches
    post-release which look security-relevant.
    
    Bug: https://bugs.gentoo.org/719730
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/jbig2dec/Manifest                       |  1 +
 .../jbig2dec-0.18-extra-overflow-checks.patch      | 51 +++++++++++++++
 .../files/jbig2dec-0.18-overflow-IAID.patch        | 36 +++++++++++
 media-libs/jbig2dec/jbig2dec-0.18.ebuild           | 73 ++++++++++++++++++++++
 4 files changed, 161 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 15:10:14 UTC 
arm stable
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 16:04:54 UTC 
arm64 stable
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 17:38:38 UTC 
x86 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 17:52:27 UTC 
ppc64 stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 17:52:39 UTC 
ppc stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 18:26:09 UTC 
amd64 stable
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-24 12:22:30 UTC 
sparc stabled by slyfox in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3169245977a987a67079eb01010a1e1f3b99e738 on 22nd
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-25 21:02:03 UTC 
s390 stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 18:50:45 UTC 
hppa: ping
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 22:56:48 UTC 
GLSA vote: no
Comment 12 Rolf Eike Beer archtester 2020-07-29 17:35:10 UTC 
hppa stable
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-29 19:16:59 UTC 
Please cleanup.
Comment 14 Larry the Git Cow gentoo-dev 2020-07-29 23:11:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=af1c2da6c3e7711f6cc2a1c985d23d93d73bbe0f

commit af1c2da6c3e7711f6cc2a1c985d23d93d73bbe0f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-29 19:49:05 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-29 23:11:45 +0000

    media-libs/jbig2dec: security cleanup
    
    Bug: https://bugs.gentoo.org/719730
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/jbig2dec/Manifest                       |  2 -
 .../files/jbig2dec-0.17-fix-test_jbig2dec.py.patch | 39 -------------
 media-libs/jbig2dec/jbig2dec-0.14.ebuild           | 44 --------------
 media-libs/jbig2dec/jbig2dec-0.17-r1.ebuild        | 68 ----------------------
 4 files changed, 153 deletions(-)