CVE-2017-11590

NameCVE-2017-11590
DescriptionThere is a NULL pointer dereference in the caseless_hash function in gxps-archive.c in libgxps 0.2.5. A crafted input will lead to a remote denial of service attack.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1054-1
Debian Bugs870183

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libgxps (PTS)bullseye0.3.2-1fixed
bookworm0.3.2-2fixed
trixie0.3.2-4fixed
forky, sid0.3.2-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libgxpssourcewheezy0.2.2-2+deb7u1DLA-1054-1
libgxpssource(unstable)0.3.0-1low870183

Notes

[stretch] - libgxps <no-dsa> (Minor issue)
[jessie] - libgxps <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=1473167
https://bugzilla.gnome.org/show_bug.cgi?id=785479
Fixed by: https://git.gnome.org/browse/libgxps/commit/?id=9d5d2920
Search for package or bug name: Reporting problems