Bug#860787: marked as done (jbig2dec: CVE-2017-7976: Integer overflow in function jbig2_image_compose )
Your message dated Wed, 17 May 2017 09:08:02 +0000
with message-id <E1dAuw6-0009de-G3@fasolo.debian.org>
and subject line Bug#860787: fixed in jbig2dec 0.13-4.1
has caused the Debian Bug report #860787,
regarding jbig2dec: CVE-2017-7976: Integer overflow in function jbig2_image_compose
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
860787: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860787
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jbig2dec: CVE-2017-7976: Integer overflow in function jbig2_image_compose
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 20 Apr 2017 08:12:01 +0200
- Message-id: <149266872165.22954.16268224978358960348.reportbug@lorien.valinor.li>
Source: jbig2dec
Version: 0.13-4
Severity: important
Tags: security upstream
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=697683
Control: found -1 0.13-4~deb8u1
Hi,
the following vulnerability was published for jbig2dec.
CVE-2017-7976[0]:
| Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because of
| an integer overflow in the jbig2_image_compose function in
| jbig2_image.c during operations on a crafted .jb2 file, leading to a
| denial of service (application crash) or disclosure of sensitive
| information from process memory.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7976
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976
[1] https://bugs.ghostscript.com/show_bug.cgi?id=697683
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jbig2dec
Source-Version: 0.13-4.1
We believe that the bug you reported is fixed in the latest version of
jbig2dec, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 860787@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated jbig2dec package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 May 2017 20:08:21 +0200
Source: jbig2dec
Binary: libjbig2dec0-dev libjbig2dec0 jbig2dec
Architecture: source
Version: 0.13-4.1
Distribution: unstable
Urgency: high
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 860460 860787 860788
Description:
jbig2dec - JBIG2 decoder library - tools
libjbig2dec0 - JBIG2 decoder library - shared libraries
libjbig2dec0-dev - JBIG2 decoder library - development files
Changes:
jbig2dec (0.13-4.1) unstable; urgency=high
.
* Non-maintainer upload.
* Prevent integer overflow vulnerability (CVE-2017-7885) (Closes: #860460)
* Prevent SEGV due to integer overflow (CVE-2017-7975) (Closes: #860788)
* Bounds check before reading from image source data (CVE-2017-7976)
(Closes: #860787)
Checksums-Sha1:
280a61fcbe3beeaa369ab0b0c5b0c1122772ff15 2291 jbig2dec_0.13-4.1.dsc
9c9c38fe026410501e7a8e0d1577196411af854e 25568 jbig2dec_0.13-4.1.debian.tar.xz
Checksums-Sha256:
4fca01f41a817e412d79fa4148567f9945594d02b0f45b02ec307908d66a5f73 2291 jbig2dec_0.13-4.1.dsc
41114245b7410a03196c5f7def10efa78c9da12b4bac9d21d6fbe96ded4232dd 25568 jbig2dec_0.13-4.1.debian.tar.xz
Files:
493146b382b4f9b61478e6832356bbb4 2291 libs optional jbig2dec_0.13-4.1.dsc
6770cc5dd5ae16609b8121129e4a4a03 25568 libs optional jbig2dec_0.13-4.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlkbQLdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EeuUP/iq2UeXE7crDsjnuVdJ8oofNCAPQPAnf
z/F1kH19QsHOjGL3KycMuitcH6vVvClP1+LmoxCGUaH0a9Sm0jiU3zsj/k7D+PDO
I0FVk7OnwVqUgUhNlZNaM+1gQ7PZtgV/jVEW1l5cElGOe99H7YWi5lEylXEjnV1S
+Zvch0E7PdKtXljONXwTj9IfEVztRqkHIWSdnySUjahXzgkUsFt5N7dEJ2d9bRPU
7+jEoKpW340N4IJsJiTb6UxZ8Nwp3xZ53YEfQt5ndXAPIsEGRK5IE0cdot1tZ9Dh
B5LeoJeYxjZrePgqqiTlBE/LtqJxYhk4V1TlM38rE335q9C+H9yWCYVMOoL19vp3
PSQnzDAjmiihXaUkT7AaVEHmy/FdUwExsNSgN/ydzG24kpWk1GI3iYwCi1YKIw2D
Yhi9dhjV5b5XqX/qHcVtI7UbfNCbuYR7YKxt7D5fyR2Ldmfz+ERDXMqiVIoi6Ew4
886d7X+vHbwV8Q0AJo8rYNimvVb2VcMyaTsvC3DTubsKayYvb3QxETAUUBm8Lx85
+3Zrxxp8zDlNhgYwgZznHQ51q4PbPQuxn6eI03GKaN7+/3JxiwLVipDmMeXncUi6
b+LOMaZHHiO8u1CY4RLn9R140CBBRKnuIACXYzh7T+qFMTzRt1YEXuQnuSFVmHoz
FBUQ0thQ89y2
=6k3l
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: