Bug 20565

Summary: jbig2dec new security issues CVE-2016-9601, CVE-2017-797[56], and CVE-2017-7885
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, marja11, sysadmin-bugs, zombie_ryushu
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://www.linuxsecurity.com/content/view/171514/170/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Source RPM: jbig2dec-0.13-1.mga6.src.rpm CVE: CVE-2016-9601
Status comment:

Description David Walser 2017-03-25 16:31:49 CET 
Debian has issued an advisory on March 24:
https://www.debian.org/security/2017/dsa-3817

Mageia 5 may also be affected.
David Walser 2017-03-25 16:32:34 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-03-26 09:24:57 CEST 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => mageia

Nicolas Lécureuil 2017-04-24 15:38:01 CEST

CVE: (none) => CVE-2016-9601

Comment 2 Nicolas Lécureuil 2017-04-25 09:30:09 CEST 
Fixed in cauldron

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 3 David Walser 2017-05-07 17:35:35 CEST 
Fedora has issued an advisory on May 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMOLQQO2AYM3T3SKPNN2GAB3WAPH7PKK/

The CVE-2017-7975 issue appears to actually be in jbig2dec:
https://bugzilla.redhat.com/show_bug.cgi?id=1443940

Severity: normal => major
Summary: jbig2dec new security issue CVE-2016-9601 => jbig2dec new security issues CVE-2016-9601 and CVE-2017-7975
Version: 5 => Cauldron
Whiteboard: (none) => MGA5TOO

Comment 4 David Walser 2017-05-07 17:36:20 CEST 
Same with CVE-2017-7976:
https://bugzilla.redhat.com/show_bug.cgi?id=1443897

Summary: jbig2dec new security issues CVE-2016-9601 and CVE-2017-7975 => jbig2dec new security issues CVE-2016-9601 and CVE-2017-797[56]

Comment 5 David Walser 2017-05-07 17:36:59 CEST 
Same with CVE-2017-7885:
https://bugzilla.redhat.com/show_bug.cgi?id=1444104

Summary: jbig2dec new security issues CVE-2016-9601 and CVE-2017-797[56] => jbig2dec new security issues CVE-2016-9601, CVE-2017-797[56], and CVE-2017-7885

Zombie Ryushu 2017-05-20 13:49:03 CEST

URL: (none) => http://www.linuxsecurity.com/content/view/171514/170/
CC: (none) => zombie_ryushu

Comment 7 David Walser 2017-06-04 21:55:13 CEST 
Fedora patch added in Cauldron in jbig2dec-0.13-3.mga6 to fix the rest of these.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 8 David Walser 2017-07-09 01:55:57 CEST 
Updated and patched package uploaded for Mageia 5.

Advisory:
========================

Updated jbig2dec packages fix security vulnerabilities:

Multiple security issues have been found in the JBIG2 decoder library, which
may lead to lead to denial of service or the execution of arbitrary code if a
malformed image file (usually embedded in a PDF document) is opened
(CVE-2016-9601).

Artifex jbig2dec has a heap-based buffer over-read leading to denial of service
(application crash) because of an integer overflow in the
jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a
during operation on a crafted .jb2 file (CVE-2017-7885).

Artifex jbig2dec allows out-of-bounds writes because of an integer overflow in
the jbig2_build_huffman_table function in jbig2_huffman.c during operations on
a crafted JBIG2 file, leading to a denial of service (application crash) or
possibly execution of arbitrary code (CVE-2017-7975).

Artifex jbig2dec allows out-of-bounds writes and reads because of an integer
overflow in the jbig2_image_compose function in jbig2_image.c during operations
on a crafted .jb2 file, leading to a denial of service (application crash)
(CVE-2017-7976).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7885
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976
https://www.debian.org/security/2017/dsa-3817
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XWQQMCDLDOZ535O3IKFQZE3VPCWC3HWH/
========================

Updated packages in core/updates_testing:
========================
jbig2dec-0.13-1.mga5
libjbig2dec0-0.13-1.mga5
libjbig2dec-devel-0.13-1.mga5

from jbig2dec-0.13-1.mga5.src.rpm

Assignee: mageia => qa-bugs

Comment 9 Dave Hodgins 2017-07-13 03:43:59 CEST 
I couldn't find any public examples of the poc files, or any jbig2 compressed
files, so validating the update based only on the update installing cleanly
over the prior version.

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA5-64-OK MGA6-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Dave Hodgins 2017-07-13 04:17:24 CEST

Whiteboard: advisory MGA5-64-OK MGA6-64-OK => advisory MGA5-32-OK MGA6-64-OK

Dave Hodgins 2017-07-13 04:17:55 CEST

Whiteboard: advisory MGA5-32-OK MGA6-64-OK => advisory MGA5-32-OK MGA5-64-OK

Comment 10 Mageia Robot 2017-07-13 11:26:24 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0206.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED