|
|
Subscribe / Log in / New account

Debian alert DLA-942-1 (jbig2dec)



From:
    	      Thorsten Alteholz <debian@alteholz.de> 


To:
    	      debian-lts-announce@lists.debian.org 


Subject:
    	      [SECURITY] [DLA 942-1] jbig2dec security update 


Date:
    	      Mon, 15 May 2017 22:29:49 +0200 (CEST)


Message-ID:
    	      <alpine.DEB.2.02.1705152228450.19043@jupiter.server.alteholz.net>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : jbig2dec
Version        : 0.13-4~deb7u2
CVE ID         : CVE-2017-7885 CVE-2017-7975 CVE-2017-7976

CVE-2017-7885
      Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to
      denial of service (application crash) or disclosure of sensitive
      information from process memory, because of an integer overflow
      in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c
      in libjbig2dec.a during operation on a crafted .jb2 file.

CVE-2017-7975
      Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds
      writes because of an integer overflow in the jbig2_build_huffman_table
      function in jbig2_huffman.c during operations on a crafted JBIG2 file,
      leading to a denial of service (application crash) or possibly
      execution of arbitrary code.

CVE-2017-7976
      Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because
      of an integer overflow in the jbig2_image_compose function in
      jbig2_image.c during operations on a crafted .jb2 file, leading
      to a denial of service (application crash) or disclosure of
      sensitive information from process memory.

For Debian 7 "Wheezy", these problems have been fixed in version
0.13-4~deb7u2.

We recommend that you upgrade your jbig2dec packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJZGg+9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHaeUQAJxJ8fjcT/XRsSJnt7S7gGEk
YQefW9RtFir9HoB6wNdciqEUY3tF6VeFd84Bov36+quE4Q89/Ps3QhYcMZbRBQhv
F43e32qPKImXfc6v9VCfO+NrR/aO4tgUNmZ4jPupW1vv4/Uz8BCcoguSiYH33K6V
VocFVEGPnzVqu+yrW2K4V12cE0aVawxGUdAfJdnbv9GF/fumYNjrP7jlfboTxhOw
5AFW5FQ3msw+QJnCbrD0XogwkOiobbk05moOSj+YJv7kW725+qAHtERbwrWewyQU
pTUcBecY8Q4mNrW5SDAN3L7y9ZAJaQjjEfOztBumv7ywIwvLkMgCJngZwlcNEWzx
bLa7RH8pXhJn5M45wqvtNePEjcun5jaxqvyuUXOwqLry6mgiP4ndlLqYfZCPPs5I
DqNh57qtgyC8CyCDWQaKBZTpoNqJDv4axgMRxgjG8vLf8SV26OvCX0z3yyamPfzC
RhV5GR+0MfZ29PJm1+x9pdfZqn2zwiTBNcxy6ZZzcY4mjgSxJ4ZV+eaxx96Pmnus
nYhuSA8WNzptrcjKES+FFP2Sm1Ix/p3j1Xp7f0iDbvO1Jp4/88hEK+TKdqiwIoFY
cqJT7eduV8TIN5LSRUgo784qy501oCdIwKXA7Tc3ol9t1BoaP0WZqR8uA8t+78mw
F/ltrg1XfEuo551DvDHI
=LNq6
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds