MGASA-2017-0206

Description

Updated jbig2dec packages fix security vulnerability Multiple security issues have been found in the JBIG2 decoder library, which may lead to lead to denial of service or the execution of arbitrary code if a malformed image file (usually embedded in a PDF document) is opened (CVE-2016-9601). Artifex jbig2dec has a heap-based buffer over-read leading to denial of service (application crash) because of an integer overflow in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file (CVE-2017-7885). Artifex jbig2dec allows out-of-bounds writes because of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c during operations on a crafted JBIG2 file, leading to a denial of service (application crash) or possibly execution of arbitrary code (CVE-2017-7975). Artifex jbig2dec allows out-of-bounds writes and reads because of an integer overflow in the jbig2_image_compose function in jbig2_image.c during operations on a crafted .jb2 file, leading to a denial of service (application crash) (CVE-2017-7976).

Affected Systems

• mageia•jbig2dec

  < 0.13-1.mga5

References (4)

• https://advisories.mageia.org/MGASA-2017-0206.html
• https://bugs.mageia.org/show_bug.cgi?id=20565
• https://www.debian.org/security/2017/dsa-3817
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XWQQMCDLDOZ535O3IKFQZE3VPCWC3HWH/