[Secure-testing-team] Bug#869708: jbigkit: CVE-2017-9937

Salvatore Bonaccorso carnil at debian.org
Tue Jul 25 20:28:26 UTC 2017 

Source: jbigkit
Version: 2.1-3.1
Severity: important
Tags: upstream security

Hi,

the following vulnerability was published for jbigkit.

CVE-2017-9937[0]:
| In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A
| crafted TIFF document can lead to an abort resulting in a remote denial
| of service attack.

Note, that originally the issue has been reported for LibTIFF project,
[1], but as shown in [2] the issue lies in jbigkit itself. It can be
seen either with an ASAN build, or under valgrind:

==10811== Memcheck, a memory error detector
==10811== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==10811== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==10811== Command: ./jbigkit-2.1/pbmtools/jbgtopbm ./poc2_only_jbig_content
==10811== 
==10811== 
==10811== Process terminating with default action of signal 6 (SIGABRT)
==10811==    at 0x5078FCF: raise (raise.c:51)
==10811==    by 0x507A3F9: abort (abort.c:89)
==10811==    by 0x4E3944C: ??? (in /usr/lib/x86_64-linux-gnu/libjbig.so.0)
==10811==    by 0x4E3EB79: jbg_dec_in (in /usr/lib/x86_64-linux-gnu/libjbig.so.0)
==10811==    by 0x109233: main (jbgtopbm.c:407)
==10811== 
==10811== HEAP SUMMARY:
==10811==     in use at exit: 17,192 bytes in 14 blocks
==10811==   total heap usage: 15 allocs, 1 frees, 21,288 bytes allocated
==10811== 
==10811== LEAK SUMMARY:
==10811==    definitely lost: 0 bytes in 0 blocks
==10811==    indirectly lost: 0 bytes in 0 blocks
==10811==      possibly lost: 0 bytes in 0 blocks
==10811==    still reachable: 17,192 bytes in 14 blocks
==10811==         suppressed: 0 bytes in 0 blocks
==10811== Rerun with --leak-check=full to see details of leaked memory
==10811== 
==10811== For counts of detected and suppressed errors, rerun with: -v
==10811== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Aborted
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9937
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9937
[1] http://bugzilla.maptools.org/show_bug.cgi?id=2707
[2] http://bugzilla.maptools.org/show_bug.cgi?id=2707#c8

Regards,
Salvatore

More information about the Secure-testing-team mailing list