Ubuntu Security Notice 3297-1 - Bingchang Liu discovered that jbig2dec incorrectly handled memory when decoding malformed image files. If a user or automated system were tricked into processing a specially crafted JBIG2 image file, a remote attacker could cause jbig2dec to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. It was discovered that jbig2dec incorrectly handled memory when decoding malformed image files. If a user or automated system were tricked into processing a specially crafted JBIG2 image file, a remote attacker could cause jbig2dec to crash, resulting in a denial of service, or possibly disclose sensitive information. Various other issues were also addressed.
8995d60474715ca698f623cfd847001e10d5652f23121b9db2700dc1ab3047cc
===========================================================================
Ubuntu Security Notice USN-3297-1
May 24, 2017
jbig2dec vulnerabilities
===========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in jbig2dec.
Software Description:
- jbig2dec: JBIG2 decoder library
Details:
Bingchang Liu discovered that jbig2dec incorrectly handled memory when
decoding malformed image files. If a user or automated system were tricked
into processing a specially crafted JBIG2 image file, a remote attacker
could cause jbig2dec to crash, resulting in a denial of service, or
possibly execute arbitrary code. This issue only applied to Ubuntu 14.04
LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9601)
It was discovered that jbig2dec incorrectly handled memory when decoding
malformed image files. If a user or automated system were tricked into
processing a specially crafted JBIG2 image file, a remote attacker could
cause jbig2dec to crash, resulting in a denial of service, or possibly
disclose sensitive information. (CVE-2017-7885)
Jiaqi Peng discovered that jbig2dec incorrectly handled memory when
decoding malformed image files. If a user or automated system were tricked
into processing a specially crafted JBIG2 image file, a remote attacker
could cause jbig2dec to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2017-7975)
Dai Ge discovered that jbig2dec incorrectly handled memory when decoding
malformed image files. If a user or automated system were tricked into
processing a specially crafted JBIG2 image file, a remote attacker could
cause jbig2dec to crash, resulting in a denial of service, or possibly
disclose sensitive information. (CVE-2017-7976)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
jbig2dec 0.13-4ubuntu0.1
libjbig2dec0 0.13-4ubuntu0.1
Ubuntu 16.10:
jbig2dec 0.13-2ubuntu0.1
libjbig2dec0 0.13-2ubuntu0.1
Ubuntu 16.04 LTS:
jbig2dec 0.12+20150918-1ubuntu0.1
libjbig2dec0 0.12+20150918-1ubuntu0.1
Ubuntu 14.04 LTS:
jbig2dec 0.11+20120125-1ubuntu1.1
libjbig2dec0 0.11+20120125-1ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3297-1
CVE-2016-9601, CVE-2017-7885, CVE-2017-7975, CVE-2017-7976
Package Information:
https://launchpad.net/ubuntu/+source/jbig2dec/0.13-4ubuntu0.1
https://launchpad.net/ubuntu/+source/jbig2dec/0.13-2ubuntu0.1
https://launchpad.net/ubuntu/+source/jbig2dec/0.12+20150918-1ubuntu0.1
https://launchpad.net/ubuntu/+source/jbig2dec/0.11+20120125-1ubuntu1.1
--7xRDPxi46Xm8bjg06p0QQheaS4vsdRdfT--