Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because of an integer overflow in the jbig2_image_compose function in jbig2_image.c during operations on a crafted .jb2 file, leading to a denial of service (application crash) or disclosure of sensitive information from process memory.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The PS Interpreter in Ghostscript 9.18 and 9.20 allows     remote attackers to execute arbitrary code via crafted     userparams.(CVE-2016-7976)

  - ghostscript before version 9.21 is vulnerable to a heap     based buffer overflow that was found in the ghostscript     jbig2_decode_gray_scale_image function which is used to     decode halftone segments in a JBIG2 image. A document     (PostScript or PDF) with an embedded, specially     crafted, jbig2 image could trigger a segmentation fault     in ghostscript.(CVE-2016-9601)

  - Artifex jbig2dec 0.13 allows out-of-bounds writes and     reads because of an integer overflow in the     jbig2_image_compose function in jbig2_image.c during     operations on a crafted .jb2 file, leading to a denial     of service (application crash) or disclosure of     sensitive information from process     memory.(CVE-2017-7976)

  - The Ins_MDRP function in base/ttinterp.c in Artifex     Ghostscript GhostXPS 9.21 allows remote attackers to     cause a denial of service (heap-based buffer over-read     and application crash) or possibly have unspecified     other impact via a crafted document.(CVE-2017-9726)

  - The gx_ttfReader__Read function in base/gxttfb.c in     Artifex Ghostscript GhostXPS 9.21 allows remote     attackers to cause a denial of service (heap-based     buffer over-read and application crash) or possibly     have unspecified other impact via a crafted     document.(CVE-2017-9727)

  - The Ins_JMPR function in base/ttinterp.c in Artifex     Ghostscript GhostXPS 9.21 allows remote attackers to     cause a denial of service (heap-based buffer over-read     and application crash) or possibly have unspecified     other impact via a crafted document.(CVE-2017-9739)

  - The Ins_IP function in base/ttinterp.c in Artifex     Ghostscript GhostXPS 9.21 allows remote attackers to     cause a denial of service (use-after-free and     application crash) or possibly have unspecified other     impact via a crafted document.(CVE-2017-9612)

  - libjbig2dec.a in Artifex jbig2dec 0.13, as used in     MuPDF and Ghostscript, has a NULL pointer dereference     in the jbig2_huffman_get function in jbig2_huffman.c.
    For example, the jbig2dec utility will crash     (segmentation fault) when parsing an invalid     file.(CVE-2017-9216)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Artifex jbig2dec 0.13 allows out-of-bounds writes and     reads because of an integer overflow in the     jbig2_image_compose function in jbig2_image.c during     operations on a crafted .jb2 file, leading to a denial     of service (application crash) or disclosure of     sensitive information from process     memory.(CVE-2017-7976)

  - psi/zfile.c in Artifex Ghostscript before 9.21rc1     permits the status command even if -dSAFER is used,     which might allow remote attackers to determine the     existence and size of arbitrary files, a similar issue     to CVE-2016-7977.(CVE-2018-11645)

  - The gx_ttfReader__Read function in base/gxttfb.c in     Artifex Ghostscript GhostXPS 9.21 allows remote     attackers to cause a denial of service (heap-based     buffer over-read and application crash) or possibly     have unspecified other impact via a crafted     document.(CVE-2017-9727)

  - The Ins_IP function in base/ttinterp.c in Artifex     Ghostscript GhostXPS 9.21 allows remote attackers to     cause a denial of service (use-after-free and     application crash) or possibly have unspecified other     impact via a crafted document.(CVE-2017-9612)

  - The Ins_JMPR function in base/ttinterp.c in Artifex     Ghostscript GhostXPS 9.21 allows remote attackers to     cause a denial of service (heap-based buffer over-read     and application crash) or possibly have unspecified     other impact via a crafted document.(CVE-2017-9739)

  - The Ins_MDRP function in base/ttinterp.c in Artifex     Ghostscript GhostXPS 9.21 allows remote attackers to     cause a denial of service (heap-based buffer over-read     and application crash) or possibly have unspecified     other impact via a crafted document.(CVE-2017-9726)

  - The PS Interpreter in Ghostscript 9.18 and 9.20 allows     remote attackers to execute arbitrary code via crafted     userparams.(CVE-2016-7976)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The PS Interpreter in Ghostscript 9.18 and 9.20 allows     remote attackers to execute arbitrary code via crafted     userparams.(CVE-2016-7976)

  - psi/zfile.c in Artifex Ghostscript before 9.21rc1     permits the status command even if -dSAFER is used,     which might allow remote attackers to determine the     existence and size of arbitrary files, a similar issue     to CVE-2016-7977.(CVE-2018-11645)

  - A flaw was found in the .pdfexectoken and other     procedures where it did not properly secure its     privileged calls, enabling scripts to bypass `-dSAFER`     restrictions. A specially crafted PostScript file could     disable security protection and then have access to the     file system, or execute arbitrary     commands.(CVE-2019-14817)

  - A flaw was found in the setsystemparams procedure where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14813)

  - A flaw was found in the .setuserparams2 procedure where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14812)

  - A flaw was found in the .pdf_hook_DSC_Creator procedure     where it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14811)

  - libjbig2dec.a in Artifex jbig2dec 0.13, as used in     MuPDF and Ghostscript, has a NULL pointer dereference     in the jbig2_huffman_get function in jbig2_huffman.c.
    For example, the jbig2dec utility will crash     (segmentation fault) when parsing an invalid     file.(CVE-2017-9216)

  - Artifex jbig2dec 0.13, as used in Ghostscript, allows     out-of-bounds writes because of an integer overflow in     the jbig2_build_huffman_table function in     jbig2_huffman.c during operations on a crafted JBIG2     file, leading to a denial of service (application     crash) or possibly execution of arbitrary     code.(CVE-2017-7975)

  - Artifex jbig2dec 0.13 has a heap-based buffer over-read     leading to denial of service (application crash) or     disclosure of sensitive information from process     memory, because of an integer overflow in the     jbig2_decode_symbol_dict function in     jbig2_symbol_dict.c in libjbig2dec.a during operation     on a crafted .jb2 file.(CVE-2017-7885)

  - Artifex jbig2dec 0.13 allows out-of-bounds writes and     reads because of an integer overflow in the     jbig2_image_compose function in jbig2_image.c during     operations on a crafted .jb2 file, leading to a denial     of service (application crash) or disclosure of     sensitive information from process     memory.(CVE-2017-7976)

  - ghostscript before version 9.21 is vulnerable to a heap     based buffer overflow that was found in the ghostscript     jbig2_decode_gray_scale_image function which is used to     decode halftone segments in a JBIG2 image. A document     (PostScript or PDF) with an embedded, specially     crafted, jbig2 image could trigger a segmentation fault     in ghostscript.(CVE-2016-9601)

  - In Artifex Ghostscript before 9.26, a carefully crafted     PDF file can trigger an extremely long running     computation when parsing the file.(CVE-2018-19478)

  - It was found that the .buildfont1 procedure did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. An attacker could     abuse this flaw by creating a specially crafted     PostScript file that could escalate privileges and     access files outside of restricted     areas.(CVE-2019-10216)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The PS Interpreter in Ghostscript 9.18 and 9.20 allows     remote attackers to execute arbitrary code via crafted     userparams.(CVE-2016-7976)

  - psi/zfile.c in Artifex Ghostscript before 9.21rc1     permits the status command even if -dSAFER is used,     which might allow remote attackers to determine the     existence and size of arbitrary files, a similar issue     to CVE-2016-7977.(CVE-2018-11645)

  - A flaw was found in, ghostscript versions prior to     9.50, in the .pdfexectoken and other procedures where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14817)

  - A flaw was found in ghostscript, versions 9.x before     9.50, in the setsystemparams procedure where it did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. A specially crafted     PostScript file could disable security protection and     then have access to the file system, or execute     arbitrary commands.(CVE-2019-14813)

  - A flaw was found in all ghostscript versions 9.x before     9.50, in the .setuserparams2 procedure where it did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. A specially crafted     PostScript file could disable security protection and     then have access to the file system, or execute     arbitrary commands.(CVE-2019-14812)

  - A flaw was found in, ghostscript versions prior to     9.50, in the .pdf_hook_DSC_Creator procedure where it     did not properly secure its privileged calls, enabling     scripts to bypass `-dSAFER` restrictions. A specially     crafted PostScript file could disable security     protection and then have access to the file system, or     execute arbitrary commands.(CVE-2019-14811)

  - libjbig2dec.a in Artifex jbig2dec 0.13, as used in     MuPDF and Ghostscript, has a NULL pointer dereference     in the jbig2_huffman_get function in jbig2_huffman.c.
    For example, the jbig2dec utility will crash     (segmentation fault) when parsing an invalid     file.(CVE-2017-9216)

  - Artifex jbig2dec 0.13, as used in Ghostscript, allows     out-of-bounds writes because of an integer overflow in     the jbig2_build_huffman_table function in     jbig2_huffman.c during operations on a crafted JBIG2     file, leading to a denial of service (application     crash) or possibly execution of arbitrary     code.(CVE-2017-7975)

  - Artifex jbig2dec 0.13 has a heap-based buffer over-read     leading to denial of service (application crash) or     disclosure of sensitive information from process     memory, because of an integer overflow in the     jbig2_decode_symbol_dict function in     jbig2_symbol_dict.c in libjbig2dec.a during operation     on a crafted .jb2 file.(CVE-2017-7885)

  - Artifex jbig2dec 0.13 allows out-of-bounds writes and     reads because of an integer overflow in the     jbig2_image_compose function in jbig2_image.c during     operations on a crafted .jb2 file, leading to a denial     of service (application crash) or disclosure of     sensitive information from process     memory.(CVE-2017-7976)

  - A heap based buffer overflow was found in the     ghostscript jbig2_decode_gray_scale_image() function     used to decode halftone segments in a JBIG2 image. A     document (PostScript or PDF) with an embedded,     specially crafted, jbig2 image could trigger a     segmentation fault in ghostscript.(CVE-2016-9601)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ghostscript before version 9.21 is vulnerable to a heap     based buffer overflow that was found in the ghostscript     jbig2_decode_gray_scale_image function which is used to     decode halftone segments in a JBIG2 image. A document     (PostScript or PDF) with an embedded, specially     crafted, jbig2 image could trigger a segmentation fault     in ghostscript.(CVE-2016-9601)

  - Artifex jbig2dec 0.13 allows out-of-bounds writes and     reads because of an integer overflow in the     jbig2_image_compose function in jbig2_image.c during     operations on a crafted .jb2 file, leading to a denial     of service (application crash) or disclosure of     sensitive information from process     memory.(CVE-2017-7976)

  - Artifex jbig2dec 0.13, as used in Ghostscript, allows     out-of-bounds writes because of an integer overflow in     the jbig2_build_huffman_table function in     jbig2_huffman.c during operations on a crafted JBIG2     file, leading to a denial of service (application     crash) or possibly execution of arbitrary     code.(CVE-2017-7975)

  - Artifex jbig2dec 0.13 has a heap-based buffer over-read     leading to denial of service (application crash) or     disclosure of sensitive information from process     memory, because of an integer overflow in the     jbig2_decode_symbol_dict function in     jbig2_symbol_dict.c in libjbig2dec.a during operation     on a crafted .jb2 file.(CVE-2017-7885)

  - libjbig2dec.a in Artifex jbig2dec 0.13, as used in     MuPDF and Ghostscript, has a NULL pointer dereference     in the jbig2_huffman_get function in jbig2_huffman.c.
    For example, the jbig2dec utility will crash     (segmentation fault) when parsing an invalid     file.(CVE-2017-9216)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for mupdf fixes the following issues :

Security issues fixed :

  - CVE-2017-7976: integer overflow (jbig2_image_compose     function in jbig2_image.c) during operations on a     crafted .jb2 file (boo#1052029).

  - CVE-2016-10221: count_entries in pdf-layer.c allows for     DoS (boo#1032140).

  - CVE-2016-8728: Fitz library font glyph scaling Code     Execution Vulnerability (boo#1039850).

Bug fixes :

  - Update to version 1.11

  - This is primarily a bug fix release.

  - PDF portfolio support with command line tool 'mutool     portfolio'.

  - Add callbacks to load fallback fonts from the system.

  - Use system fonts in Android to reduce install size.

  - Flag to disable publisher styles in EPUB layout.

  - Improved SVG output.

  - Add reproducible.patch to sort input files to make build     reproducible (boo#1041090)

  - mupdf is not a terminal app (boo#1036637)

The remote host is affected by the vulnerability described in GLSA-201708-10 (jbig2dec: User-assisted execution of arbitrary code)

    Integer overflow errors have been discovered in the       jbig2_decode_symbol_dict, jbig2_build_huffman_table, and       jbig2_image_compose functions of jbig2dec.
  Impact :

    A remote attacker, by enticing a user to open a specially crafted JBIG2       file using an application linked against jbig2dec, could possibly execute       arbitrary code with the privileges of the process or cause a Denial of       Service condition.
  Workaround :

    There is no known workaround at this time.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3297-1 advisory.

    Bingchang Liu discovered that jbig2dec incorrectly handled memory when decoding malformed image files. If     a user or automated system were tricked into processing a specially crafted JBIG2 image file, a remote     attacker could cause jbig2dec to crash, resulting in a denial of service, or possibly execute arbitrary     code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9601)

    It was discovered that jbig2dec incorrectly handled memory when decoding malformed image files. If a user     or automated system were tricked into processing a specially crafted JBIG2 image file, a remote attacker     could cause jbig2dec to crash, resulting in a denial of service, or possibly disclose sensitive     information. (CVE-2017-7885)

    Jiaqi Peng discovered that jbig2dec incorrectly handled memory when decoding malformed image files. If a     user or automated system were tricked into processing a specially crafted JBIG2 image file, a remote     attacker could cause jbig2dec to crash, resulting in a denial of service, or possibly execute arbitrary     code. (CVE-2017-7975)

    Dai Ge discovered that jbig2dec incorrectly handled memory when decoding malformed image files. If a user     or automated system were tricked into processing a specially crafted JBIG2 image file, a remote attacker     could cause jbig2dec to crash, resulting in a denial of service, or possibly disclose sensitive     information. (CVE-2017-7976)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple security issues have been found in the JBIG2 decoder library, which may lead to denial of service, disclosure of sensitive information from process memory or the execution of arbitrary code if a malformed image file (usually embedded in a PDF document) is opened.

CVE-2017-7885 Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of service (application crash) or disclosure of sensitive information from process memory, because of an integer overflow in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.

CVE-2017-7975 Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c during operations on a crafted JBIG2 file, leading to a denial of service (application crash) or possibly execution of arbitrary code.

CVE-2017-7976 Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because of an integer overflow in the jbig2_image_compose function in jbig2_image.c during operations on a crafted .jb2 file, leading to a denial of service (application crash) or disclosure of sensitive information from process memory.

For Debian 7 'Wheezy', these problems have been fixed in version 0.13-4~deb7u2.

We recommend that you upgrade your jbig2dec packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
153342	EulerOS 2.0 SP2 : ghostscript (EulerOS-SA-2021-2372)	Nessus	Huawei Local Security Checks	high
149171	EulerOS 2.0 SP3 : ghostscript (EulerOS-SA-2021-1788)	Nessus	Huawei Local Security Checks	high
135661	EulerOS Virtualization 3.0.2.2 : ghostscript (EulerOS-SA-2020-1499)	Nessus	Huawei Local Security Checks	critical
134529	EulerOS Virtualization for ARM 64 3.0.2.0 : ghostscript (EulerOS-SA-2020-1240)	Nessus	Huawei Local Security Checks	critical
131802	EulerOS 2.0 SP5 : ghostscript (EulerOS-SA-2019-2528)	Nessus	Huawei Local Security Checks	high
104766	openSUSE Security Update : mupdf (openSUSE-2017-1300)	Nessus	SuSE Local Security Checks	high
102799	GLSA-201708-10 : jbig2dec: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
100413	Ubuntu 14.04 LTS / 16.04 LTS : jbig2dec vulnerabilities (USN-3297-1)	Nessus	Ubuntu Local Security Checks	high
100277	Debian DSA-3855-1 : jbig2dec - security update	Nessus	Debian Local Security Checks	high
100177	Debian DLA-942-1 : jbig2dec security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2017-7976

high

Tenable Plugins

high

high

critical

critical

high

high

high

high

high

high