[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 942-1] jbig2dec security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : jbig2dec
Version        : 0.13-4~deb7u2
CVE ID         : CVE-2017-7885 CVE-2017-7975 CVE-2017-7976

CVE-2017-7885
     Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to
     denial of service (application crash) or disclosure of sensitive
     information from process memory, because of an integer overflow
     in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c
     in libjbig2dec.a during operation on a crafted .jb2 file.

CVE-2017-7975
     Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds
     writes because of an integer overflow in the jbig2_build_huffman_table
     function in jbig2_huffman.c during operations on a crafted JBIG2 file,
     leading to a denial of service (application crash) or possibly
     execution of arbitrary code.

CVE-2017-7976
     Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because
     of an integer overflow in the jbig2_image_compose function in
     jbig2_image.c during operations on a crafted .jb2 file, leading
     to a denial of service (application crash) or disclosure of
     sensitive information from process memory.

For Debian 7 "Wheezy", these problems have been fixed in version
0.13-4~deb7u2.

We recommend that you upgrade your jbig2dec packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJZGg+9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHaeUQAJxJ8fjcT/XRsSJnt7S7gGEk
YQefW9RtFir9HoB6wNdciqEUY3tF6VeFd84Bov36+quE4Q89/Ps3QhYcMZbRBQhv
F43e32qPKImXfc6v9VCfO+NrR/aO4tgUNmZ4jPupW1vv4/Uz8BCcoguSiYH33K6V
VocFVEGPnzVqu+yrW2K4V12cE0aVawxGUdAfJdnbv9GF/fumYNjrP7jlfboTxhOw
5AFW5FQ3msw+QJnCbrD0XogwkOiobbk05moOSj+YJv7kW725+qAHtERbwrWewyQU
pTUcBecY8Q4mNrW5SDAN3L7y9ZAJaQjjEfOztBumv7ywIwvLkMgCJngZwlcNEWzx
bLa7RH8pXhJn5M45wqvtNePEjcun5jaxqvyuUXOwqLry6mgiP4ndlLqYfZCPPs5I
DqNh57qtgyC8CyCDWQaKBZTpoNqJDv4axgMRxgjG8vLf8SV26OvCX0z3yyamPfzC
RhV5GR+0MfZ29PJm1+x9pdfZqn2zwiTBNcxy6ZZzcY4mjgSxJ4ZV+eaxx96Pmnus
nYhuSA8WNzptrcjKES+FFP2Sm1Ix/p3j1Xp7f0iDbvO1Jp4/88hEK+TKdqiwIoFY
cqJT7eduV8TIN5LSRUgo784qy501oCdIwKXA7Tc3ol9t1BoaP0WZqR8uA8t+78mw
F/ltrg1XfEuo551DvDHI
=LNq6
-----END PGP SIGNATURE-----


Reply to: