CVE-2023-46361
Published: 31 October 2023
Artifex Software jbig2dec v0.20 was discovered to contain a SEGV vulnerability via jbig2_error at /jbig2dec/jbig2.c.
Notes
| Author | Note |
|---|---|
Priority reason: Just a denial of service in a command line tool |
|
| mdeslaur | null pointer dereference bug listed below contains similar issue as of 2023-11-01, there is no fix available from the jbig2dec developers |
| ccdm94 | fix released on 2023-11-05. focal and earlier are not affected by this issue, as they do not include the changes from commit f9d37c7c, meaning, the uninitialized variable that causes the issue is not present in the code. |
| mdeslaur | This is just an out-of-bounds read in a command-line tool resulting in a denial of service. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
jbig2dec Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| focal |
Not vulnerable
(code not present)
|
|
| jammy |
Needed
|
|
| lunar |
Ignored
(end of life, was needed)
|
|
| mantic |
Needed
|
|
| noble |
Needed
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Pending
(0.21)
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
Patches: upstream: https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=ee53a7e4bc7819d32e8c0b2057885bcc97586bf3 upstream: https://github.com/ArtifexSoftware/jbig2dec/commit/ee53a7e4bc7819d32e8c0b2057885bcc97586bf3 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |