Bug#863279: marked as done (jbig2dec: CVE-2017-9216: NULL pointer dereference in the jbig2_huffman_get function)

To: Jonas Smedegaard <dr@jones.dk>
Subject: Bug#863279: marked as done (jbig2dec: CVE-2017-9216: NULL pointer dereference in the jbig2_huffman_get function)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 23 Sep 2017 11:36:25 +0000
Message-id: <[🔎] handler.863279.D863279.150616654825363.ackdone@bugs.debian.org>
Reply-to: 863279@bugs.debian.org
References: <E1dviip-000Eak-B6@fasolo.debian.org> <149565124470.8179.1337452636939296346.reportbug@eldamar.local>

Your message dated Sat, 23 Sep 2017 11:35:47 +0000
with message-id <E1dviip-000Eak-B6@fasolo.debian.org>
and subject line Bug#863279: fixed in jbig2dec 0.13-5
has caused the Debian Bug report #863279,
regarding jbig2dec: CVE-2017-9216: NULL pointer dereference in the jbig2_huffman_get function
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
863279: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863279
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: jbig2dec: CVE-2017-9216: NULL pointer dereference in the jbig2_huffman_get function
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 24 May 2017 20:40:44 +0200
Message-id: <149565124470.8179.1337452636939296346.reportbug@eldamar.local>

Source: jbig2dec
Version: 0.13-1
Severity: important
Tags: upstream security
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=697934

Hi,

the following vulnerability was published for jbig2dec.

CVE-2017-9216[0]:
| libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and
| Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get
| function in jbig2_huffman.c. For example, the jbig2dec utility will
| crash (segmentation fault) when parsing an invalid file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9216
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9216
[1] https://bugs.ghostscript.com/show_bug.cgi?id=697934

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 863279-close@bugs.debian.org
Subject: Bug#863279: fixed in jbig2dec 0.13-5
From: Jonas Smedegaard <dr@jones.dk>
Date: Sat, 23 Sep 2017 11:35:47 +0000
Message-id: <E1dviip-000Eak-B6@fasolo.debian.org>

Source: jbig2dec
Source-Version: 0.13-5

We believe that the bug you reported is fixed in the latest version of
jbig2dec, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863279@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated jbig2dec package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 23 Sep 2017 13:27:40 +0200
Source: jbig2dec
Binary: libjbig2dec0-dev libjbig2dec0 jbig2dec
Architecture: source
Version: 0.13-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description:
 jbig2dec   - JBIG2 decoder library - tools
 libjbig2dec0 - JBIG2 decoder library - shared libraries
 libjbig2dec0-dev - JBIG2 decoder library - development files
Closes: 863279
Changes:
 jbig2dec (0.13-5) unstable; urgency=medium
 .
   * Add DEP-3 header to patch 1001.
   * Advertise DEP-3 format in patch headers.
   * Add patches cherry-picked upstream:
     + Fix decoder error on JBIG2 compressed image.
     + Tidy up unused code.
     + Add sanity check on image sizes.
     + refine test for "Denial of Service" images
     + Prevent SEGV due to integer overflow.
     + Prevent integer overflow vulnerability.
     + Bounds check before reading from image source data.
     + Plug leak of parameter info in command-line tool.
     + Fix memory leak in case of error.
     + Make clipping in image compositing handle underflow.
     + Fix double free in error case.
     + Do bounds checking of read data.
     + Do not grow page if page height is known.
     + Fix SEGV due to error code being ignored.
       Closes: Bug#863279; CVE-2017-9216. Thanks to Salvatore Bonaccorso.
     + Allow for symbol dictionary with 0 symbols.
   * Update watch file: Use substitution strings.
   * Stop put aside auto-generated header file during build: No longer
     shipped upstream.
   * Modernize cdbs:
     + Do copyright-check in maintainer script (not during build).
     + Relax to build-depend unversioned on cdbs.
     + Stop build-depend on licensecheck.
   * Declare compliance with Debian Policy 4.1.0.
   * Update copyright info:
     + Use https protocol in file format URL.
     + Fix rename License section AGPL-3 → AGPL-3+.
   * Tighten lintian overrides regarding License-Reference.
Checksums-Sha1:
 8f0414d51a1be00bee0b3f1ae9545ffe9b8046c6 2100 jbig2dec_0.13-5.dsc
 1cf4a0a0b28f5e6ffe0dd9e3cdfa621c7217aec5 30788 jbig2dec_0.13-5.debian.tar.xz
 d1173e06582c8139ee22851a0abfc10f4ad026a0 7204 jbig2dec_0.13-5_amd64.buildinfo
Checksums-Sha256:
 9450b10caa782fdc02b2cf1f7f136ce1c25fbe48790445de82ac6ed62fd991dd 2100 jbig2dec_0.13-5.dsc
 d7c25acd31b24fedc4c8de2cf8a5c6d5acc00e99d78c027da2fa74f23ef246ec 30788 jbig2dec_0.13-5.debian.tar.xz
 fb150e72ae2ebe05fab4c1dfe12e98c50801d80c8ae63ee0e4829ba6bc60a8aa 7204 jbig2dec_0.13-5_amd64.buildinfo
Files:
 5d719be385cc20ff3c41b04fb87bc4d6 2100 libs optional jbig2dec_0.13-5.dsc
 42f4012e11a09a077a6816517028c41c 30788 libs optional jbig2dec_0.13-5.debian.tar.xz
 f845153ec6002f7aea50b83563f2371e 7204 libs optional jbig2dec_0.13-5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlnGRXcACgkQLHwxRsGg
ASElEQ/9Fo5K4pEQkBUFcJuhXx+l/XXVKJItqNYhsamZec9M7JUhiKSbr0dmt+R1
c5c9ZI3QvXkS+Vlj19MQWVjXpDEGlzJAgPKlYzBNIPSVHgFN/A83wL8thIzk9w4q
gzftvUrUkyyM1XLb7I7mZYVl2ei0ah5xrFlQphGu6pySj6TGIMSQ4yh5q1nP7CGi
wmkkQGX2BlBpwGR87h/li3nqji7MhbibCcAMW+tQHZlu1V9bIlN63WOeT8pw5qQp
mXPyiowiqvbSE1oS5H7GL/R8R2vQZoZ79REJ345+GotHiq5jBdICLo9FEHaWuZD+
Vd2afhdynsN5sZmnti2V9cYWpmyYsr378FrIWBMhg4tAsntuCppdEoo5n+A7n6iW
XyEvAtaiOjTPWT5oM8AWmDCs1mvhNFw8GTOARrzqH0eTSUI7R5loNDS95XRLaDuZ
zuufcEjpY+poWf4cyItPK1vPRl9aBjuf1GB3SrA3fYhlO7C9dlVv5/pe+vpOlpLz
fFwCIhcnmnm2Oy5hKB/uvS3ldZmz2bygU4vUuyRClNEYzTbu34DGuf09Fhr6qH+4
rdsFwp+xlqgEHCjD9cEZUzDHthQb57k15iQk4d5WfrIVcBfn0+SaqzAFMJGvJlCU
KFQ8mP0y+uuYuqKT78noFl4DImIFOD0S2opOU8M3lPd8nOQWMf8=
=6cJq
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Processed: closing 863886, closing 863886
Next by Date: Processing of jbig2dec_0.13-5_source.changes
Previous by thread: Processed: closing 863886, closing 863886
Next by thread: Processing of jbig2dec_0.13-5_source.changes
Index(es):
- Date
- Thread