Debian Bug report logs -
#850497
jbig2dec: CVE-2016-9601: Heap-buffer overflow due to Integer overflow in jbig2_image_new function
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 7 Jan 2017 09:03:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions jbig2dec/0.13-3, jbig2dec/0.11+20120125-1
Fixed in versions jbig2dec/0.13-4, jbig2dec/0.13-4~deb8u1
Done: Jonas Smedegaard <dr@jones.dk>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#850497; Package src:jbig2dec.
(Sat, 07 Jan 2017 09:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Printing Team <debian-printing@lists.debian.org>.
(Sat, 07 Jan 2017 09:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jbig2dec
Version: 0.13-3
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for jbig2dec.
NOTE: Actually not much has been published yet. There is an upstream
bugreport at [1], so I opening this bug in the Debian BTS to help
tracking the issue. There is a report, but it is restricted to the
developers yet. From a look at the trace and the current code some
issue might be present, but it is not really possible to say more yet
without having access to the report ... hope you as maintainers could
find more out from upstream. There is as well no patch referenced yet.
CVE-2016-9601[0]:
Heap-buffer overflow due to Integer overflow in jbig2_image_new function
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9601
[1] https://bugs.ghostscript.com/show_bug.cgi?id=697457
Please adjust the affected versions in the BTS as needed, once more
known.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#850497; Package src:jbig2dec.
(Mon, 23 Jan 2017 19:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>.
(Mon, 23 Jan 2017 19:45:03 GMT) (full text, mbox, link).
Message #10 received at 850497@bugs.debian.org (full text, mbox, reply):
Control: tags -1 + fixed-upstream
Hi
According to https://bugs.ghostscript.com/show_bug.cgi?id=697457#c7
this is fixed in the git repository for jbig2dec.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 850497-submit@bugs.debian.org.
(Mon, 23 Jan 2017 19:45:03 GMT) (full text, mbox, link).
Reply sent
to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility.
(Mon, 23 Jan 2017 21:09:17 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 23 Jan 2017 21:09:17 GMT) (full text, mbox, link).
Message #17 received at 850497-close@bugs.debian.org (full text, mbox, reply):
Source: jbig2dec
Source-Version: 0.13-4
We believe that the bug you reported is fixed in the latest version of
jbig2dec, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 850497@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated jbig2dec package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 23 Jan 2017 21:13:34 +0100
Source: jbig2dec
Binary: libjbig2dec0-dev libjbig2dec0 jbig2dec
Architecture: source
Version: 0.13-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description:
jbig2dec - JBIG2 decoder library - tools
libjbig2dec0 - JBIG2 decoder library - shared libraries
libjbig2dec0-dev - JBIG2 decoder library - development files
Closes: 850497
Changes:
jbig2dec (0.13-4) unstable; urgency=medium
.
* Add patches cherry-picked upstream to squash signed/unsigned
warnings and to fix warning for always-false unsigned < 0 tests.
Closes: Bug#850497. Thanks to Salvatore Bonaccorso.
* Modernize Vcs-Browser field: Use git subdir (not cgit).
* Stop override lintian for
package-needs-versioned-debhelper-build-depends: Fixed in lintian.
* Update copyright info: Extend coverage of Debian packaging.
Checksums-Sha1:
2db0ccd11b95df2922fc89580610de291f02688d 2128 jbig2dec_0.13-4.dsc
970d576e73e5a0de0b19d78820b0febc5181b3dc 24772 jbig2dec_0.13-4.debian.tar.xz
Checksums-Sha256:
0dcf037787d3f96b572ede3a72cb4e06503bbdcd48dd323d2a31eec13ce8e5c2 2128 jbig2dec_0.13-4.dsc
c4776c27e4633a7216e02ca6efcc19039ca757e8bd8fe0a7fbfdb07fa4c30d23 24772 jbig2dec_0.13-4.debian.tar.xz
Files:
6a67f43ba7787eff7f95d21fba9cba57 2128 libs optional jbig2dec_0.13-4.dsc
870247e545c46712a6de6257974d7eee 24772 libs optional jbig2dec_0.13-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAliGZXAACgkQLHwxRsGg
ASFBExAAiJyWSSxuqBatHwOyWLlstV5FK03+g2SaSclkJzC/P1Fy0Ux/RqQr/LMq
m3PvD+hdA4HrWkg+q0QK6LebRAxLualD9omOyoNR/UaIwmWmPB9HlOFXZSMPi86X
rs/ZWt+HGHewQh46bchFHU2Lx/by6wCMfhRL3VGqUXBBT8ANXv61c/8g3lhwRz2E
MPQ7BSETGn95lcwZIXe7VCECbfVOWON/ov9eCQJtS5OauPDtHnYbba21Ec+Kuyu7
cRLq2OsswL/9qluwNpCNhA2uXlHI6NCj4yuHjvMgPTTjfWv9Bc7baHwU42zClV1B
SS7pgvu1G9od58jmVkj0K5NNXmbPMjxhm7BAVUfMXoAqN2JP7A/A3G7nPLPzc72T
Ek37o2Avs95fk3GBveDLc4JRcfhpO58HIQG22BArE2t+r1c44XF1mKQwea0wvUKk
H/LZGPizjnwzRpLRvihRb3LixZzMRKx4iozXUA7BPpJxrE7L6/eF6+ApMSoUlwn2
iJPZIfnts5dExWk8ajaJHYX7/PoKAl4mzAh0T6BSXgBBDvt8gniJe1uDMjPl3P1K
t4TKqGj69dQkvIPoiBWi3pmzxYhZ7gMqZn0++9wCey5Hq0S2r68Hz0Bfj8U/1Lxs
cl7HomCgoKpUAquFxqSLobN6hB15/VU6EuBpKRf0Xtf7KRnp8N8=
=Jfzl
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 03 Mar 2017 07:37:25 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 02 Apr 2017 13:39:05 GMT) (full text, mbox, link).
Marked as fixed in versions jbig2dec/0.13-4~deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 02 Apr 2017 13:39:05 GMT) (full text, mbox, link).
Marked as found in versions jbig2dec/0.11+20120125-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 02 Apr 2017 15:24:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 01 May 2017 07:28:48 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:33:50 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon