Bug 1410021 (CVE-2016-9601) - CVE-2016-9601 ghostscript: Heap-buffer overflow due to Integer overflow in jbig2_image_new function
Summary: CVE-2016-9601 ghostscript: Heap-buffer overflow due to Integer overflow in jb...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-9601
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1410022
Blocks: 1410024
TreeView+ depends on / blocked
 
Reported: 2017-01-04 08:55 UTC by Andrej Nemec
Modified: 2019-09-29 14:03 UTC (History)
14 users (show)

Fixed In Version: ghostscript 9.21
Doc Type: If docs needed, set a value
Doc Text:
A heap based buffer overflow was found in the ghostscript jbig2_decode_gray_scale_image() function used to decode halftone segments in a JBIG2 image. A document (PostScript or PDF) with an embedded, specially crafted, jbig2 image could trigger a segmentation fault in ghostscript.
Clone Of:
Environment:
Last Closed: 2017-05-03 08:32:21 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2017-01-04 08:55:35 UTC
A heap-buffer overflow caused by integer overflow was found in ghostscript's jbig2dec-0.13 (a decoder implementation of the JBIG2 image compression format). The vulnerability is caused by an Addition-1 integer overflow. The overflowed value is passed to function ‘malloc’ as the SIZE parameter and a buffer with zero size is allocated. Later, out-of-bound read/write can happen when accessing the buffer. Whether it’s an out-of-bound read vulnerability or out-of-bound write can be controlled by crafting the input .jb2 file. The vulnerability can cause Denial-of-Service or possibly corrupt some memory data.

Upstream bug:

https://bugs.ghostscript.com/show_bug.cgi?id=697457

Comment 1 Andrej Nemec 2017-01-04 08:55:52 UTC
Acknowledgments:

Name: Bingchang Liu (IIE)

Comment 2 Andrej Nemec 2017-01-04 08:56:22 UTC
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1410022]

Comment 4 Cedric Buissart 🐶 2017-04-06 16:02:38 UTC
RHEL-6 and older are not affected : the vulnerability affects the jbig2 halftone image support, which was added in ghostscript-9.05 (RHEL-6 is based on ghostscript-8.70)


Note You need to log in before you can comment on or make changes to this bug.