Debian Long Term Support / LTS Security Information / 2018 / Security Information -- DLA-1583-1 jasper

Debian Security Advisory

DLA-1583-1 jasper -- LTS security update

Date Reported:

21 Nov 2018

Affected Packages:

jasper

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-5203, CVE-2015-5221, CVE-2016-8690, CVE-2017-13748, CVE-2017-14132.

More information:

Several security vulnerabilities were discovered in the JasPer JPEG-2000 library.

• CVE-2015-5203

  Gustavo Grieco discovered an integer overflow vulnerability that allows remote attackers to cause a denial of service or may have other unspecified impact via a crafted JPEG 2000 image file.

• CVE-2015-5221

  Josselin Feist found a double-free vulnerability that allows remote attackers to cause a denial-of-service (application crash) by processing a malformed image file.

• CVE-2016-8690

  Gustavo Grieco discovered a NULL pointer dereference vulnerability that can cause a denial-of-service via a crafted BMP image file. The update also includes the fixes for the related issues CVE-2016-8884 and CVE-2016-8885 which complete the patch for CVE-2016-8690.

• CVE-2017-13748

  It was discovered that jasper does not properly release memory used to store image tile data when image decoding fails which may lead to a denial-of-service.

• CVE-2017-14132

  A heap-based buffer over-read was found related to the jas_image_ishomosamp function that could be triggered via a crafted image file and may cause a denial-of-service (application crash) or have other unspecified impact.

For Debian 8 Jessie, these problems have been fixed in version 1.900.1-debian1-2.4+deb8u4.

We recommend that you upgrade your jasper packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS