SUSE has issued an advisory today (May 7): http://lists.suse.com/pipermail/sle-security-updates/2020-May/006802.html The issue is fixed upstream in 0.18. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 0.18Whiteboard: (none) => MGA7TOO
Done for Cauldron and mga7!
CC: (none) => geiger.david68210
Once again, thanks for an ultra-speedy response. Alors, assigning this to you!
Assignee: bugsquad => geiger.david68210
Advisory: ======================== Updated jbig2dec packages fix security vulnerability: jbig2_image_compose in jbig2_image.c in Artifex jbig2dec before 0.18 has a heap-based buffer overflow (CVE-2020-12268). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12268 http://lists.suse.com/pipermail/sle-security-updates/2020-May/006802.html ======================== Updated packages in core/updates_testing: ======================== jbig2dec-0.18-1.mga7 libjbig2dec0-0.18-1.mga7 libjbig2dec-devel-0.18-1.mga7 from jbig2dec-0.18-1.mga7.src.rpm
Status comment: Fixed upstream in 0.18 => (none)Whiteboard: MGA7TOO => (none)Assignee: geiger.david68210 => qa-bugsVersion: Cauldron => 7
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 22065 would OK on clean install. Nevertheless tried to find something on the net to test. Found https://jbig2dec.com/ and quote from it: "This is a decoder only implementation, and its primary use is in Ghostscript and MuPDF for decoding JBIG2 streams in PDF files. Thus its primary focus is the set of JBIG2 features supported in PDF." It also refers to some test files, downloaded the pdf file from it and tried the command line. $ jbig2dec t89-halftone.pdf jbig2dec FATAL ERROR not a JBIG2 file header jbig2dec FATAL ERROR page has no image, cannot be completed jbig2dec WARNING unable to complete page So whether it's me, but i cann't demonstrate anything this way. Leaving for others to judge upon this update.
CC: (none) => herman.viaene
Tried to downgradealong the instructions of QArepo: # urpmi --update --downgrade jbig2dec lib64jbig2dec0 No package named jbig2dec No package named lib64jbig2dec0
@Herman: comment 4 Thanks for your efforts Herman and the link. Looks like the PDF file may be a summary of the background principles rather than a suitable test file. It can be read in a normal PDF reader like xpdf. Before update a run on the test case at https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20332 resulted in a loop (?) where one or other of the cpu cores hit 100%. It is meant to be run under asan though so this is probably not a legitimate test. One of the test files from https://jbig2dec.com/tests/index.html: $ jbig2dec 042_11.jb2 unsupported output format: 0 $ jbig2dec -o whatever.pbm 042_11.jb2 $ ll *.pbm -rw-r--r-- 1 lcl lcl 505237 May 10 10:14 whatever.pbm $ display whatever.pbm produced an image of a page of text showing degradation from top to bottom. Updated the packages. $ jbig2dec -o test.pbm clusterfuzz-testcase-minimized-jbig2_fuzzer-5647271708590080 jbig2dec FATAL ERROR not enough data for decoding (-780016/4) (segment 0x200001) jbig2dec WARNING failed to decode; treating as end of file (segment 0x200001) jbig2dec FATAL ERROR page has no image, cannot be completed jbig2dec WARNING unable to complete page That looks like a good result for the PoC. $ jbig2dec -o updated.pbm 042_11.jb2 $ display updated.pbm Shows the same image as before so this bug can be cleared.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0213.html
Status: NEW => RESOLVEDResolution: (none) => FIXED