Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-920-1 jasper

Debian Security Advisory

DLA-920-1 jasper -- LTS security update

Date Reported:

26 Apr 2017

Affected Packages:

jasper

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-9591, CVE-2016-10251.

More information:

• CVE-2016-9591

  Use-after-free on heap in jas_matrix_destroy The vulnerability exists in code responsible for re-encoding the decoded input image file to a JP2 image. The vulnerability is caused by not setting related pointers to be null after the pointers are freed (i.e. missing Setting-Pointer-Null operations after free). The vulnerability can further cause double-free.

• CVE-2016-10251

  Integer overflow in the jpc_pi_nextcprl function in jpc_t2cod.c in JasPer before 1.900.20 allows remote attackers to have unspecified impact via a crafted file, which triggers use of an uninitialized value.

• Additional fix for TEMP-CVE from last upload to avoid hassle with SIZE_MAX

For Debian 7 Wheezy, these problems have been fixed in version 1.900.1-13+deb7u6.

We recommend that you upgrade your jasper packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS