PT-2019-6089 · Djvulibre+4 · Djvulibre+4

Hongxu Chen

Publicado

2019-08-18

Atualizado

2024-06-15

CVE-2019-15145

CVSS v3.1

5.5

Média

Vetor

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions DjVuLibre version 3.5.27

Description The issue is related to a missing zero-bytes check, which can be exploited by crafting a corrupted JB2 image file. This can cause a denial-of-service attack, leading to an application crash via an out-of-bounds read in the get direct context function of JB2Dict::JB2Codec in libdjvu/JB2Image.h. The vulnerability can be exploited by a remote attacker to cause a denial-of-service.

Recommendations For DjVuLibre version 3.5.27, consider updating to a newer version that includes a fix for the missing zero-bytes check in libdjvu/GBitmap.h. As a temporary workaround, avoid using the get direct context function of JB2Dict::JB2Codec until a patch is available. Restrict access to corrupted JB2 image files to minimize the risk of exploitation.

Exploit

Correção

DoS

Out of bounds Read

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-125

Identificadores relacionados

ALT-PU-2022-1603

ALT-PU-2022-3240

BDU:2021-05177

CVE-2019-15145

DLA-1902-1

DLA-2667-1

DSA-5032-1

MGASA-2019-0346

OESA-2021-1034

OPENSUSE-SU-2019:2217-1

OPENSUSE-SU-2019:2219-1

OPENSUSE-SU-2019_2217-1

OPENSUSE-SU-2019_2219-1

OPENSUSE-SU-2024:10719-1

SUSE-SU-2019:2444-1

SUSE-SU-2019:2452-1

USN-4198-1

Produtos afetados

Alt Linux

Astra Linux

Djvulibre

Suse

Ubuntu

PT-2019-6089 · Djvulibre+4 · Djvulibre+4

CVE-2019-15145

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 67