616464 – (CVE-2017-7885, CVE-2017-7975, CVE-2017-7976) <media-libs/jbig2dec-0.13-r4 : multiple integer overflow

Bug 616464 (CVE-2017-7885, CVE-2017-7975, CVE-2017-7976) - <media-libs/jbig2dec-0.13-r4 : multiple integer overflow

Summary: <media-libs/jbig2dec-0.13-r4 : multiple integer overflow

Status:	RESOLVED FIXED

Alias:	CVE-2017-7885, CVE-2017-7975, CVE-2017-7976

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A2 [glsa cve]
Keywords:

Depends on:
Blocks:	CVE-2017-9216
	Show dependency tree

Reported:	2017-04-24 11:35 UTC by Agostino Sarubbo
Modified:	2017-10-03 14:07 UTC (History)
CC List:	3 users (show)

See Also:
Package list:	media-libs/jbig2dec-0.13-r4
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-04-24 11:35:47 UTC

From https://bugzilla.redhat.com/show_bug.cgi?id=1444104:

jbig2dec has a heap-based buffer over-read leading to denial of service (application crash) because of an integer overflow in the jbig2_decode_symbol_dict function in 
jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.
Upstream bug:
https://bugs.ghostscript.com/show_bug.cgi?id=697703


From https://bugzilla.redhat.com/show_bug.cgi?id=1443940:

Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c during 
operations on a crafted JBIG2 file, leading to a denial of service (application crash) or possibly execution of arbitrary code.
Upstream bug:
https://bugs.ghostscript.com/show_bug.cgi?id=697693


From https://bugzilla.redhat.com/show_bug.cgi?id=1443897:
Artifex jbig2dec allows out-of-bounds writes and reads because of an integer overflow in the jbig2_image_compose function in jbig2_image.c during operations on a crafted .jb2 file, 
leading to a denial of service (application crash).
Upstream bug:
https://bugs.ghostscript.com/show_bug.cgi?id=697683


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-03 15:02:48 UTC

Upstream fixes: 

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=b184e783702246e15

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5e57e483298dae8b

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ed6c5133a1004ce8d

Comment 2 Andreas K. Hüttel archtester

2017-06-09 23:50:28 UTC

Patched in our -r3.

Comment 3 Andreas K. Hüttel archtester

2017-06-11 21:22:21 UTC

(In reply to Andreas K. Hüttel from comment #2)
> Patched in our -r3.

Nope, there was a stray # in the ebuild. 

Patched in our -r4.

Comment 4 Yury German Gentoo Infrastructure

2017-06-12 04:33:51 UTC

Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

Comment 5 Andreas K. Hüttel archtester

2017-06-17 13:52:19 UTC

Please stabilize media-libs/jbig2dec-0.13-r4 (all stable arches)

Comment 6 Agostino Sarubbo gentoo-dev

2017-06-17 17:26:12 UTC

x86 stable

Comment 7 Agostino Sarubbo gentoo-dev

2017-06-18 14:02:14 UTC

amd64 stable

Comment 8 Tobias Klausmann (RETIRED) gentoo-dev

2017-06-20 14:58:21 UTC

Stable on alpha.

Comment 9 Agostino Sarubbo gentoo-dev

2017-06-21 11:58:41 UTC

ppc stable

Comment 10 Agostino Sarubbo gentoo-dev

2017-06-21 12:18:02 UTC

ppc64 stable

Comment 11 Markus Meier gentoo-dev

2017-06-23 04:38:04 UTC

arm stable

Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev

2017-06-24 21:52:28 UTC

ia64 stable

Comment 13 Agostino Sarubbo gentoo-dev

2017-07-07 09:08:19 UTC

sparc stable

Comment 14 Yury German Gentoo Infrastructure

2017-08-10 07:57:49 UTC

Arches or maintainers please stabilize for hppa ASAP. Security will release GLSA for this in 7 days with or without hppa arch being stable.

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2017-08-26 14:54:55 UTC

This issue was resolved and addressed in
 GLSA 201708-10 at https://security.gentoo.org/glsa/201708-10
by GLSA coordinator Aaron Bauman (b-man).

Comment 16 Aaron Bauman (RETIRED) gentoo-dev

2017-08-26 14:57:07 UTC

@maintainer(s), reopening for cleanup.  HPPA is still pending stable as well.  Please drop vulnerable versions from the tree.  If you so choose, please drop hppa support during cleanup.

Comment 17 Yury German Gentoo Infrastructure

2017-10-02 04:40:34 UTC

Slyfox, this is holding up a security bug. Please stabilize or drop from stable keywords for hppa.

Comment 18 Sergei Trofimovich (RETIRED) gentoo-dev

2017-10-03 08:42:46 UTC

hppa stable

Comment 19 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-10-03 14:07:27 UTC

Thank you all,

Closing as GLSA was already released.

Gentoo Security Padawan
ChrisADR