[arch-security] [ASA-201711-28] jbig2dec: denial of service

Morten Linderud foxboron at archlinux.org
Wed Nov 22 19:55:51 UTC 2017


Arch Linux Security Advisory ASA-201711-28
==========================================

Severity: Medium
Date    : 2017-11-22
CVE-ID  : CVE-2017-9216
Package : jbig2dec
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-517

Summary
=======

The package jbig2dec before version 0.14-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 0.14-1.

# pacman -Syu "jbig2dec>=0.14-1"

The problem has been fixed upstream in version 0.14.

Workaround
==========

None.

Description
===========

libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and
Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get
function in jbig2_huffman.c. For example, the jbig2dec utility will
crash (segmentation fault) when parsing an invalid file.

Impact
======

A remote attacker is able to crash the application by providing an
invalid file.

References
==========

https://bugs.archlinux.org/task/56405
https://bugs.ghostscript.com/show_bug.cgi?id=697934
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3ebffb1d96ba0cacec23016eccb4047dab365853
https://security.archlinux.org/CVE-2017-9216
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20171122/2d2fade0/attachment.asc>


More information about the arch-security mailing list