20565 – jbig2dec new security issues CVE-2016-9601, CVE-2017-797[56], and CVE-2017-7885

Bug 20565 - jbig2dec new security issues CVE-2016-9601, CVE-2017-797[56], and CVE-2017-7885

Summary: jbig2dec new security issues CVE-2016-9601, CVE-2017-797[56], and CVE-2017-7885

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://www.linuxsecurity.com/content/...
Whiteboard:	advisory MGA5-32-OK MGA5-64-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2017-03-25 16:31 CET by David Walser
Modified:	2017-07-13 11:26 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	jbig2dec-0.13-1.mga6.src.rpm
CVE:	CVE-2016-9601
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-03-25 16:31:49 CET

Debian has issued an advisory on March 24:
https://www.debian.org/security/2017/dsa-3817

Mageia 5 may also be affected.

David Walser 2017-03-25 16:32:34 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-03-26 09:24:57 CEST

Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => mageia

Nicolas Lécureuil 2017-04-24 15:38:01 CEST

CVE: (none) => CVE-2016-9601

Comment 2 Nicolas Lécureuil 2017-04-25 09:30:09 CEST

Fixed in cauldron

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 3 David Walser 2017-05-07 17:35:35 CEST

Fedora has issued an advisory on May 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMOLQQO2AYM3T3SKPNN2GAB3WAPH7PKK/

The CVE-2017-7975 issue appears to actually be in jbig2dec:
https://bugzilla.redhat.com/show_bug.cgi?id=1443940

Severity: normal => major
Summary: jbig2dec new security issue CVE-2016-9601 => jbig2dec new security issues CVE-2016-9601 and CVE-2017-7975
Version: 5 => Cauldron
Whiteboard: (none) => MGA5TOO

Comment 4 David Walser 2017-05-07 17:36:20 CEST

Same with CVE-2017-7976:
https://bugzilla.redhat.com/show_bug.cgi?id=1443897

Summary: jbig2dec new security issues CVE-2016-9601 and CVE-2017-7975 => jbig2dec new security issues CVE-2016-9601 and CVE-2017-797[56]

Comment 5 David Walser 2017-05-07 17:36:59 CEST

Same with CVE-2017-7885:
https://bugzilla.redhat.com/show_bug.cgi?id=1444104

Summary: jbig2dec new security issues CVE-2016-9601 and CVE-2017-797[56] => jbig2dec new security issues CVE-2016-9601, CVE-2017-797[56], and CVE-2017-7885

Comment 6 David Walser 2017-05-16 16:08:20 CEST

Fedora advisory for jbig2dec from May 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XWQQMCDLDOZ535O3IKFQZE3VPCWC3HWH/

Zombie Ryushu 2017-05-20 13:49:03 CEST

URL: (none) => http://www.linuxsecurity.com/content/view/171514/170/
CC: (none) => zombie_ryushu

Comment 7 David Walser 2017-06-04 21:55:13 CEST

Fedora patch added in Cauldron in jbig2dec-0.13-3.mga6 to fix the rest of these.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 8 David Walser 2017-07-09 01:55:57 CEST

Updated and patched package uploaded for Mageia 5.

Advisory:
========================

Updated jbig2dec packages fix security vulnerabilities:

Multiple security issues have been found in the JBIG2 decoder library, which
may lead to lead to denial of service or the execution of arbitrary code if a
malformed image file (usually embedded in a PDF document) is opened
(CVE-2016-9601).

Artifex jbig2dec has a heap-based buffer over-read leading to denial of service
(application crash) because of an integer overflow in the
jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a
during operation on a crafted .jb2 file (CVE-2017-7885).

Artifex jbig2dec allows out-of-bounds writes because of an integer overflow in
the jbig2_build_huffman_table function in jbig2_huffman.c during operations on
a crafted JBIG2 file, leading to a denial of service (application crash) or
possibly execution of arbitrary code (CVE-2017-7975).

Artifex jbig2dec allows out-of-bounds writes and reads because of an integer
overflow in the jbig2_image_compose function in jbig2_image.c during operations
on a crafted .jb2 file, leading to a denial of service (application crash)
(CVE-2017-7976).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7885
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976
https://www.debian.org/security/2017/dsa-3817
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XWQQMCDLDOZ535O3IKFQZE3VPCWC3HWH/
========================

Updated packages in core/updates_testing:
========================
jbig2dec-0.13-1.mga5
libjbig2dec0-0.13-1.mga5
libjbig2dec-devel-0.13-1.mga5

from jbig2dec-0.13-1.mga5.src.rpm

Assignee: mageia => qa-bugs

Comment 9 Dave Hodgins 2017-07-13 03:43:59 CEST

I couldn't find any public examples of the poc files, or any jbig2 compressed
files, so validating the update based only on the update installing cleanly
over the prior version.

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA5-64-OK MGA6-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Dave Hodgins 2017-07-13 04:17:24 CEST

Whiteboard: advisory MGA5-64-OK MGA6-64-OK => advisory MGA5-32-OK MGA6-64-OK

Dave Hodgins 2017-07-13 04:17:55 CEST

Whiteboard: advisory MGA5-32-OK MGA6-64-OK => advisory MGA5-32-OK MGA5-64-OK

Comment 10 Mageia Robot 2017-07-13 11:26:24 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0206.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.