[ASA-201711-28] jbig2dec: denial of service

2017-11-22T00:00:00
ID ASA-201711-28
Type archlinux
Reporter ArchLinux
Modified 2017-11-22T00:00:00

Description

Arch Linux Security Advisory ASA-201711-28

Severity: Medium Date : 2017-11-22 CVE-ID : CVE-2017-9216 Package : jbig2dec Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-517

Summary

The package jbig2dec before version 0.14-1 is vulnerable to denial of service.

Resolution

Upgrade to 0.14-1.

pacman -Syu "jbig2dec>=0.14-1"

The problem has been fixed upstream in version 0.14.

Workaround

None.

Description

libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get function in jbig2_huffman.c. For example, the jbig2dec utility will crash (segmentation fault) when parsing an invalid file.

Impact

A remote attacker is able to crash the application by providing an invalid file.

References

https://bugs.archlinux.org/task/56405 https://bugs.ghostscript.com/show_bug.cgi?id=697934 https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3ebffb1d96ba0cacec23016eccb4047dab365853 https://security.archlinux.org/CVE-2017-9216