Sicherheit: Denial of Service in JBIG-KIT

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============1807100033144310567==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="------------6VthK8HjOzmCd4JkWCHG0OQu"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------6VthK8HjOzmCd4JkWCHG0OQu
Content-Type: multipart/mixed;
boundary="------------kxmxFwR9K1ql20q64Nn9dRrL";
protected-headers="v1"
From: Camila Camargo de Matos <camila.camargodematos@canonical.com>
Reply-To: security@ubuntu.com
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <c60f7cd7-5e95-d93e-618a-e3bc6b5ad30b@canonical.com>
Subject: [USN-5742-1] JBIG-KIT vulnerability

--------------kxmxFwR9K1ql20q64Nn9dRrL
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-5742-1
November 24, 2022

jbigkit vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM

Summary:

JBIG-KIT could be made to crash if it opened a specially crafted file.

Software Description:
- jbigkit: JBIG1 data compression library

Details:

It was discovered that JBIG-KIT incorrectly handled decoding certain large
image files. If a user or automated system using JBIG-KIT were tricked into
opening a specially crafted file, an attacker could possibly use this issue
to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
jbigkit-bin                     2.1-3.1ubuntu0.22.10.1
libjbig0                        2.1-3.1ubuntu0.22.10.1

Ubuntu 22.04 LTS:
jbigkit-bin                     2.1-3.1ubuntu0.22.04.1
libjbig0                        2.1-3.1ubuntu0.22.04.1

Ubuntu 20.04 LTS:
jbigkit-bin                     2.1-3.1ubuntu0.20.04.1
libjbig0                        2.1-3.1ubuntu0.20.04.1

Ubuntu 18.04 LTS:
jbigkit-bin                     2.1-3.1ubuntu0.18.04.1
libjbig0                        2.1-3.1ubuntu0.18.04.1

Ubuntu 16.04 ESM:
jbigkit-bin                     2.1-3.1ubuntu0.1~esm1
libjbig0                        2.1-3.1ubuntu0.1~esm1

Ubuntu 14.04 ESM:
jbigkit-bin                     2.0-2ubuntu4.1+esm1
libjbig0                        2.0-2ubuntu4.1+esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5742-1
CVE-2017-9937

Package Information:
https://launchpad.net/ubuntu/+source/jbigkit/2.1-3.1ubuntu0.22.10.1
https://launchpad.net/ubuntu/+source/jbigkit/2.1-3.1ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/jbigkit/2.1-3.1ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/jbigkit/2.1-3.1ubuntu0.18.04.1

--------------kxmxFwR9K1ql20q64Nn9dRrL--

--------------6VthK8HjOzmCd4JkWCHG0OQu
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEGq96SdAIJY1vInRLbzAtCH6LqTYFAmN/qrcFAwAAAAAACgkQbzAtCH6LqTbV
owf/V5zpAWf9QEQliJevmdYsURegLTyMS0iS9Nv0q374fRumiVoUM9TzXZGV0ujBsbE0BySrJwDd
9GE3744vM1XYXu/1tUoZ6AwSsDqs/E9fnCIPrCGQdtVuDtOPM2CBpQZpFQqm789l49eMOsZp2/BB
KRFsw4qXvEzhbnP1ze5oBMjKBi+t0MqSetTpz6YaPI7XotV7VFcWETtC+HbwbLENZpph5L4AuVli
XckMdmKeU6vqdbfS5faTwtcsrKzIddLT9rm4JrPx+Q99lA8Khs5g+Wi2RSAYGIvAriWWGhcWUcEi
DSiDwd8TmP1Nb24yTbnp5tl8TVUZPS6uJmD1lSkhEQ==
=5oC7
-----END PGP SIGNATURE-----

--------------6VthK8HjOzmCd4JkWCHG0OQu--

--===============1807100033144310567==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============1807100033144310567==--