Updated jbig2dec packages fix security vulnerability
Publication date: 13 Jul 2017Modification date: 13 Jul 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-9601 , CVE-2017-7885 , CVE-2017-7975 , CVE-2017-7976
Description
Multiple security issues have been found in the JBIG2 decoder library,
which may lead to lead to denial of service or the execution of arbitrary
code if a malformed image file (usually embedded in a PDF document) is
opened (CVE-2016-9601).
Artifex jbig2dec has a heap-based buffer over-read leading to denial of
service (application crash) because of an integer overflow in the
jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a
during operation on a crafted .jb2 file (CVE-2017-7885).
Artifex jbig2dec allows out-of-bounds writes because of an integer
overflow in the jbig2_build_huffman_table function in jbig2_huffman.c
during operations on a crafted JBIG2 file, leading to a denial of service
(application crash) or possibly execution of arbitrary code
(CVE-2017-7975).
Artifex jbig2dec allows out-of-bounds writes and reads because of an
integer overflow in the jbig2_image_compose function in jbig2_image.c
during operations on a crafted .jb2 file, leading to a denial of service
(application crash) (CVE-2017-7976).
References
- https://bugs.mageia.org/show_bug.cgi?id=20565
- https://www.debian.org/security/2017/dsa-3817
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XWQQMCDLDOZ535O3IKFQZE3VPCWC3HWH/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9601
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7885
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7975
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976
SRPMS
5/core
- jbig2dec-0.13-1.mga5