ArchLinuxASA-201711-28[ASA-201711-28] jbig2dec: denial of service
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
38.1%
Arch Linux Security Advisory ASA-201711-28
Severity: Medium
Date : 2017-11-22
CVE-ID : CVE-2017-9216
Package : jbig2dec
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-517
Summary
The package jbig2dec before version 0.14-1 is vulnerable to denial of
service.
Resolution
Upgrade to 0.14-1.
pacman -Syu “jbig2dec>=0.14-1”
The problem has been fixed upstream in version 0.14.
Workaround
None.
Description
libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and
Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get
function in jbig2_huffman.c. For example, the jbig2dec utility will
crash (segmentation fault) when parsing an invalid file.
Impact
A remote attacker is able to crash the application by providing an
invalid file.
References
https://bugs.archlinux.org/task/56405
https://bugs.ghostscript.com/show_bug.cgi?id=697934
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3ebffb1d96ba0cacec23016eccb4047dab365853
https://security.archlinux.org/CVE-2017-9216
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
38.1%