Debian Security Advisory

DLA-3004-1 htmldoc -- LTS security update

Date Reported:
13 May 2022
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2022-27114.
More information:

It was discovered that there was an integer overflow vulnerabiliity in htmldoc, a HTML processor that generates indexed HTML, PS and PDF files. This was caused by a programming error in image_load_jpeg function due to a conflation or confusion of declared/expected/observed image dimensions.

  • CVE-2022-27114

    CVE-2022-27114: There is a vulnerability in htmldoc 1.9.16. In image_load_jpeg function image.cxx when it calls malloc,'img->width' and 'img->height' they are large enough to cause an integer overflow. So, the malloc function may return a heap block smaller than the expected size, and it will cause a buffer overflow/Address boundary error in the jpeg_read_scanlines function.

For Debian 9 Stretch, these problems have been fixed in version 1.8.27-8+deb9u3.

We recommend that you upgrade your htmldoc packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: