Debian Long Term Support / LTS Security Information / 2022 / Security Information -- DLA-3004-1 htmldoc

Debian Security Advisory

DLA-3004-1 htmldoc -- LTS security update

Date Reported:

13 May 2022

Affected Packages:

htmldoc

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2022-27114.

More information:

It was discovered that there was an integer overflow vulnerabiliity in htmldoc, a HTML processor that generates indexed HTML, PS and PDF files. This was caused by a programming error in image_load_jpeg function due to a conflation or confusion of declared/expected/observed image dimensions.

• CVE-2022-27114

  CVE-2022-27114: There is a vulnerability in htmldoc 1.9.16. In image_load_jpeg function image.cxx when it calls malloc,'img->width' and 'img->height' they are large enough to cause an integer overflow. So, the malloc function may return a heap block smaller than the expected size, and it will cause a buffer overflow/Address boundary error in the jpeg_read_scanlines function.

For Debian 9 Stretch, these problems have been fixed in version 1.8.27-8+deb9u3.

We recommend that you upgrade your htmldoc packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS