Debian Security Advisory
DLA-3004-1 htmldoc -- LTS security update
- Date Reported:
- 13 May 2022
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2022-27114.
- More information:
It was discovered that there was an integer overflow vulnerabiliity in htmldoc, a HTML processor that generates indexed HTML, PS and PDF files. This was caused by a programming error in image_load_jpeg function due to a conflation or confusion of declared/expected/observed image dimensions.
CVE-2022-27114: There is a vulnerability in htmldoc 1.9.16. In image_load_jpeg function image.cxx when it calls malloc,'img->width' and 'img->height' they are large enough to cause an integer overflow. So, the malloc function may return a heap block smaller than the expected size, and it will cause a buffer overflow/Address boundary error in the jpeg_read_scanlines function.
For Debian 9
Stretch, these problems have been fixed in version 1.8.27-8+deb9u3.
We recommend that you upgrade your htmldoc packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS