CVE-2017-7885
published 2017-04-17CVE-2017-7885: Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of service (application crash) or disclosure of sensitive information from process…
PriorityP426high7.1CVSS 3.0
AVLACLPRNUIRSUCHINAH
EPSS
1.18%
63.9th percentile
Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of service (application crash) or disclosure of sensitive information from process memory, because of an integer overflow in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| artifex | jbig2dec | — | — |
| artifex | jbig2dec | >= 0 < 0.13-4.1 | 0.13-4.1 |
| artifex | jbig2dec | >= 0 < 0.13-4.1 | 0.13-4.1 |
| artifex | jbig2dec | >= 0 < 0.13-4.1 | 0.13-4.1 |
| artifex | jbig2dec | >= 0 < 0.13-4.1 | 0.13-4.1 |
| artifex | jbig2dec | >= 0 < 0.11+20120125-1ubuntu1.1 | 0.11+20120125-1ubuntu1.1 |
| artifex | jbig2dec | >= 0 < 0.12+20150918-1ubuntu0.1 | 0.12+20150918-1ubuntu0.1 |
| debian | jbig2dec | < jbig2dec 0.13-4.1 (bookworm) | jbig2dec 0.13-4.1 (bookworm) |
CVSS provenance
nvdv3.07.1HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:P
osv7.1HIGH
vendor_debian7.1HIGH
vendor_redhat7.1HIGH
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9rxh-wvvf-hh9j: Artifex jbig2dec 0
ghsa_unreviewed·2022-05-17
CVE-2017-7885 [HIGH] CWE-190 GHSA-9rxh-wvvf-hh9j: Artifex jbig2dec 0
Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of service (application crash) or disclosure of sensitive information from process memory, because of an integer overflow in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.
OSV
jbig2dec vulnerabilities
osv·2017-05-24·CVSS 5.5
CVE-2016-9601 [MEDIUM] jbig2dec vulnerabilities
jbig2dec vulnerabilities
Bingchang Liu discovered that jbig2dec incorrectly handled memory when
decoding malformed image files. If a user or automated system were tricked
into processing a specially crafted JBIG2 image file, a remote attacker
could cause jbig2dec to crash, resulting in a denial of service, or
possibly execute arbitrary code. This issue only applied to Ubuntu 14.04
LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9601)
It was discovered that jbig2dec incorrectly handled memory when decoding
malformed image files. If a user or automated system were tricked into
processing a specially crafted JBIG2 image file, a remote attacker could
cause jbig2dec to crash, resulting in a denial of service, or possibly
disclose sensitive information. (CVE-2017-7885)
Jiaqi Peng discovered
OSV
CVE-2017-7885: Artifex jbig2dec 0
osv·2017-04-17·CVSS 7.1
CVE-2017-7885 [HIGH] CVE-2017-7885: Artifex jbig2dec 0
Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of service (application crash) or disclosure of sensitive information from process memory, because of an integer overflow in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.
Ubuntu
jbig2dec vulnerabilities
vendor_ubuntu·2017-05-24·CVSS 5.3
CVE-2016-9601 [MEDIUM] jbig2dec vulnerabilities
Title: jbig2dec vulnerabilities
Summary: Several security issues were fixed in jbig2dec.
Bingchang Liu discovered that jbig2dec incorrectly handled memory when
decoding malformed image files. If a user or automated system were tricked
into processing a specially crafted JBIG2 image file, a remote attacker
could cause jbig2dec to crash, resulting in a denial of service, or
possibly execute arbitrary code. This issue only applied to Ubuntu 14.04
LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9601)
It was discovered that jbig2dec incorrectly handled memory when decoding
malformed image files. If a user or automated system were tricked into
processing a specially crafted JBIG2 image file, a remote attacker could
cause jbig2dec to crash, resulting in a denial of service, or possibly
discl
Red Hat
jbig2dec: Integer overflow in jbig2_decode_symbol_dict
vendor_redhat·2017-03-30·CVSS 7.1
CVE-2017-7885 [HIGH] CWE-190 jbig2dec: Integer overflow in jbig2_decode_symbol_dict
jbig2dec: Integer overflow in jbig2_decode_symbol_dict
Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of service (application crash) or disclosure of sensitive information from process memory, because of an integer overflow in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification.
Package: ghostscript (Red Hat Enterprise Linux 5) - Will not fix
Package: ghostscript (Red Hat Enterprise Linux 6) - Will not fix
Pa
Debian
CVE-2017-7885: jbig2dec - Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of ser...
vendor_debian·2017·CVSS 7.1
CVE-2017-7885 [HIGH] CVE-2017-7885: jbig2dec - Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of ser...
Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of service (application crash) or disclosure of sensitive information from process memory, because of an integer overflow in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.
Scope: local
bookworm: resolved (fixed in 0.13-4.1)
bullseye: resolved (fixed in 0.13-4.1)
forky: resolved (fixed in 0.13-4.1)
sid: resolved (fixed in 0.13-4.1)
trixie: resolved (fixed in 0.13-4.1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-7885 CVE-2017-7975 CVE-2017-7976 mupdf: various flaws [fedora-all]
bugzilla·2017-04-20·CVSS 7.1
CVE-2017-7885 [HIGH] CVE-2017-7885 CVE-2017-7975 CVE-2017-7976 mupdf: various flaws [fedora-all]
CVE-2017-7885 CVE-2017-7975 CVE-2017-7976 mupdf: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions o
Bugzilla
CVE-2017-7885 jbig2dec: Integer overflow in jbig2_decode_symbol_dict
bugzilla·2017-04-20·CVSS 7.1
CVE-2017-7885 [HIGH] CVE-2017-7885 jbig2dec: Integer overflow in jbig2_decode_symbol_dict
CVE-2017-7885 jbig2dec: Integer overflow in jbig2_decode_symbol_dict
jbig2dec has a heap-based buffer over-read leading to denial of service (application crash) because of an integer overflow in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.
Upstream bug:
https://bugs.ghostscript.com/show_bug.cgi?id=697703
Discussion:
Created jbig2dec tracking bugs for this issue:
Affects: epel-all [bug 1443899]
---
Acknowledgments:
Name: Dai Ge (Chinese Academy of Sciences)
---
Upstream fix :
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=b184e783702246e15
---
Statement:
Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future update
Bugzilla
CVE-2017-7885 CVE-2017-7975 CVE-2017-7976 ghostscript: various flaws [fedora-all]
bugzilla·2017-04-20·CVSS 7.1
CVE-2017-7885 [HIGH] CVE-2017-7885 CVE-2017-7975 CVE-2017-7976 ghostscript: various flaws [fedora-all]
CVE-2017-7885 CVE-2017-7975 CVE-2017-7976 ghostscript: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported vers
Bugzilla
CVE-2017-7885 CVE-2017-7975 CVE-2017-7976 jbig2dec: various flaws [epel-all]
bugzilla·2017-04-20·CVSS 7.1
CVE-2017-7885 [HIGH] CVE-2017-7885 CVE-2017-7975 CVE-2017-7976 jbig2dec: various flaws [epel-all]
CVE-2017-7885 CVE-2017-7975 CVE-2017-7976 jbig2dec: various flaws [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of
Bugzilla
CVE-2017-7885 CVE-2017-7975 CVE-2017-7976 jbig2dec: various flaws [fedora-all]
bugzilla·2017-04-20·CVSS 7.1
CVE-2017-7885 [HIGH] CVE-2017-7885 CVE-2017-7975 CVE-2017-7976 jbig2dec: various flaws [fedora-all]
CVE-2017-7885 CVE-2017-7975 CVE-2017-7976 jbig2dec: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported version
2017-04-17
Published