Bug 22065 - jbig2dec new security issue CVE-2017-9216
Summary: jbig2dec new security issue CVE-2017-9216
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-11-22 19:13 CET by David Walser
Modified: 2018-01-03 15:23 CET (History)
4 users (show)

See Also:
Source RPM: jbig2dec-0.13-3.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-11-22 19:13:56 CET
Fedora has issued an advisory on November 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5WXLQV64VNFUPCU35REYCOVZFDFAQDLH/

The issue was fixed upstream in 0.14.

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-11-22 19:14:02 CET

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-11-22 20:52:30 CET
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => mageia

Comment 2 David Walser 2017-12-28 15:51:18 CET
Advisory:
========================

Updated jbig2dec packages fix security vulnerability:

libjbig2dec.a in Artifex jbig2dec 0.13 has a NULL pointer dereference in the
jbig2_huffman_get function in jbig2_huffman.c. For example, the jbig2dec
utility will crash (segmentation fault) when parsing an invalid file
(CVE-2017-9216).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9216
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5WXLQV64VNFUPCU35REYCOVZFDFAQDLH/
========================

Updated packages in core/updates_testing:
========================
jbig2dec-0.14-1.mga5
libjbig2dec0-0.14-1.mga5
libjbig2dec-devel-0.14-1.mga5
jbig2dec-0.14-1.mga6
libjbig2dec0-0.14-1.mga6
libjbig2dec-devel-0.14-1.mga6

from SRPMS:
jbig2dec-0.14-1.mga5.src.rpm
jbig2dec-0.14-1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: mageia => qa-bugs
Version: Cauldron => 6

Comment 3 Herman Viaene 2017-12-31 10:10:45 CET
MGA5-32 on Dell Latitude D600
No installation issues
Spent some time in vain looking for some simple example, OK-ing as previous version on clean install.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Dave Hodgins 2018-01-01 07:43:51 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Dave Hodgins 2018-01-03 14:21:11 CET
Validating based on update installing cleanly.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2018-01-03 15:23:33 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0039.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.