Debian Security Advisory

DLA-920-1 jasper -- LTS security update

Date Reported:
26 Apr 2017
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2016-9591, CVE-2016-10251.
More information:
  • CVE-2016-9591

    Use-after-free on heap in jas_matrix_destroy The vulnerability exists in code responsible for re-encoding the decoded input image file to a JP2 image. The vulnerability is caused by not setting related pointers to be null after the pointers are freed (i.e. missing Setting-Pointer-Null operations after free). The vulnerability can further cause double-free.

  • CVE-2016-10251

    Integer overflow in the jpc_pi_nextcprl function in jpc_t2cod.c in JasPer before 1.900.20 allows remote attackers to have unspecified impact via a crafted file, which triggers use of an uninitialized value.

  • Additional fix for TEMP-CVE from last upload to avoid hassle with SIZE_MAX

For Debian 7 Wheezy, these problems have been fixed in version 1.900.1-13+deb7u6.

We recommend that you upgrade your jasper packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: