DSA-3508

[oss-security] 20160303 Security issues in JasPer (CVE-2016-1577 and CVE-2016-2116)

84133

USN-2919-1

RHSA-2017:1208

https://bugs.launchpad.net/ubuntu/+source/jasper/+bug/1547865

The remote NewStart CGSL host, running version MAIN 4.05, has jasper packages installed that are affected by multiple vulnerabilities:

  - JasPer before version 2.0.10 is vulnerable to a null     pointer dereference was found in the decoded creation of     JPEG 2000 image files. A specially crafted file could     cause an application using JasPer to crash.
    (CVE-2016-9600)

  - A use-after-free flaw was found in the way JasPer,     before version 2.0.12, decode certain JPEG 2000 image     files. A specially crafted file could cause an     application using JasPer to crash. (CVE-2016-9591)

  - An out-of-bounds heap read vulnerability was found in     the jpc_pi_nextpcrl() function of jasper before 2.0.6     when processing crafted input. (CVE-2016-9583)

  - A heap-buffer overflow vulnerability was found in QMFB     code in JPC codec caused by buffer being allocated with     too small size. jasper versions before 2.0.0 are     affected. (CVE-2016-8654)

  - Stack-based buffer overflow in the jpc_tsfb_getbands2     function in jpc_tsfb.c in JasPer before 1.900.30 allows     remote attackers to have unspecified impact via a     crafted image. (CVE-2016-9560)

  - Multiple integer overflows in the (1) jas_realloc     function in base/jas_malloc.c and (2) mem_resize     function in base/jas_stream.c in JasPer before 1.900.22     allow remote attackers to cause a denial of service via     a crafted image, which triggers use after free     vulnerabilities. (CVE-2016-9262)

  - Integer overflow in the jpc_pi_nextcprl function in     jpc_t2cod.c in JasPer before 1.900.20 allows remote     attackers to have unspecified impact via a crafted file,     which triggers use of an uninitialized value.
    (CVE-2016-10251)

  - The jpc_pi_nextrpcl function in jpc_t2cod.c in JasPer     before 1.900.17 allows remote attackers to cause a     denial of service (assertion failure) via a crafted     file. (CVE-2016-9393)

  - The calcstepsizes function in jpc_dec.c in JasPer before     1.900.17 allows remote attackers to cause a denial of     service (assertion failure) via a crafted file.
    (CVE-2016-9392)

  - The jas_seq2d_create function in jas_seq.c in JasPer     before 1.900.17 allows remote attackers to cause a     denial of service (assertion failure) via a crafted     file. (CVE-2016-9394)

  - The jpc_bitstream_getbits function in jpc_bs.c in JasPer     before 2.0.10 allows remote attackers to cause a denial     of service (assertion failure) via a very large integer.
    (CVE-2016-9391)

  - The ras_getcmap function in ras_dec.c in JasPer before     1.900.14 allows remote attackers to cause a denial of     service (assertion failure) via a crafted image file.
    (CVE-2016-9388)

  - The jpc_irct and jpc_iict functions in jpc_mct.c in     JasPer before 1.900.14 allow remote attackers to cause a     denial of service (assertion failure). (CVE-2016-9389)

  - The jas_seq2d_create function in jas_seq.c in JasPer     before 1.900.14 allows remote attackers to cause a     denial of service (assertion failure) via a crafted     image file. (CVE-2016-9390)

  - Integer overflow in the jpc_dec_process_siz function in     libjasper/jpc/jpc_dec.c in JasPer before 1.900.13 allows     remote attackers to have unspecified impact via a     crafted file, which triggers an assertion failure.
    (CVE-2016-9387)

  - Integer overflow in the jpc_dec_tiledecode function in     jpc_dec.c in JasPer before 1.900.12 allows remote     attackers to have unspecified impact via a crafted image     file, which triggers a heap-based buffer overflow.
    (CVE-2016-10249)

  - The jpc_tsfb_synthesize function in jpc_tsfb.c in JasPer     before 1.900.9 allows remote attackers to cause a denial     of service (NULL pointer dereference) via vectors     involving an empty sequence. (CVE-2016-10248)

  - The jpc_dec_tiledecode function in jpc_dec.c in JasPer     before 1.900.8 allows remote attackers to cause a denial     of service (assertion failure) via a crafted file.
    (CVE-2016-8883)

  - The jpc_dec_process_siz function in     libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows     remote attackers to cause a denial of service (divide-     by-zero error and application crash) via a crafted YRsiz     value in a BMP image to the imginfo command.
    (CVE-2016-8692)

  - The bmp_getdata function in libjasper/bmp/bmp_dec.c in     JasPer 1.900.5 allows remote attackers to cause a denial     of service (NULL pointer dereference) by calling the     imginfo command with a crafted BMP image. NOTE: this     vulnerability exists because of an incomplete fix for     CVE-2016-8690. (CVE-2016-8884)

  - Double free vulnerability in the mem_close function in     jas_stream.c in JasPer before 1.900.10 allows remote     attackers to cause a denial of service (crash) or     possibly execute arbitrary code via a crafted BMP image     to the imginfo command. (CVE-2016-8693)

  - The bmp_getdata function in libjasper/bmp/bmp_dec.c in     JasPer before 1.900.5 allows remote attackers to cause a     denial of service (NULL pointer dereference) via a     crafted BMP image in an imginfo command. (CVE-2016-8690)

  - The bmp_getdata function in libjasper/bmp/bmp_dec.c in     JasPer before 1.900.9 allows remote attackers to cause a     denial of service (NULL pointer dereference) by calling     the imginfo command with a crafted BMP image.
    (CVE-2016-8885)

  - The jpc_dec_process_siz function in     libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows     remote attackers to cause a denial of service (divide-     by-zero error and application crash) via a crafted XRsiz     value in a BMP image to the imginfo command.
    (CVE-2016-8691)

  - Double free vulnerability in the jas_iccattrval_destroy     function in JasPer 1.900.1 and earlier allows remote     attackers to cause a denial of service (crash) or     possibly execute arbitrary code via a crafted ICC color     profile in a JPEG 2000 image file, a different     vulnerability than CVE-2014-8137. (CVE-2016-1577)

  - Memory leak in the jas_iccprof_createfrombuf function in     JasPer 1.900.1 and earlier allows remote attackers to     cause a denial of service (memory consumption) via a     crafted ICC color profile in a JPEG 2000 image file.
    (CVE-2016-2116)

  - The jas_matrix_clip function in jas_seq.c in JasPer     1.900.1 allows remote attackers to cause a denial of     service (invalid read and application crash) via a     crafted JPEG 2000 image. (CVE-2016-2089)

  - Double free vulnerability in the jasper_image_stop_load     function in JasPer 1.900.17 allows remote attackers to     cause a denial of service (crash) via a crafted JPEG     2000 image file. (CVE-2015-5203)

  - The jpc_pi_nextcprl function in JasPer 1.900.1 allows     remote attackers to cause a denial of service (out-of-     bounds read and application crash) via a crafted JPEG     2000 image. (CVE-2016-1867)

  - Use-after-free vulnerability in the mif_process_cmpt     function in libjasper/mif/mif_cod.c in the JasPer     JPEG-2000 library before 1.900.2 allows remote attackers     to cause a denial of service (crash) via a crafted JPEG     2000 image file. (CVE-2015-5221)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for jasper is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard.

Security Fix(es) :

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600;
Gustavo Grieco for reporting CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221.

Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the jasper package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Multiple flaws were found in the way JasPer decoded     JPEG 2000 image files. A specially crafted file could     cause an application using JasPer to crash or,     possibly, execute arbitrary code. (CVE-2016-8654,     CVE-2016-9560, CVE-2016-10249, CVE-2015-5203,     CVE-2015-5221, CVE-2016-1577, CVE-2016-8690,     CVE-2016-8693, CVE-2016-8884, CVE-2016-8885,     CVE-2016-9262, CVE-2016-9591)

  - Multiple flaws were found in the way JasPer decoded     JPEG 2000 image files. A specially crafted file could     cause an application using JasPer to crash.
    (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116,     CVE-2016-8691, CVE-2016-8692, CVE-2016-8883,     CVE-2016-9387, CVE-2016-9388, CVE-2016-9389,     CVE-2016-9390, CVE-2016-9391, CVE-2016-9392,     CVE-2016-9393, CVE-2016-9394, CVE-2016-9583,     CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A

specially crafted file could cause an application using JasPer to crash or,

possibly, execute arbitrary code. ( CVE-2016-8654 , CVE-2016-9560 , CVE-2016-10249 ,

CVE-2015-5203 , CVE-2015-5221 , CVE-2016-1577 , CVE-2016-8690 , CVE-2016-8693 ,

CVE-2016-8884 , CVE-2016-8885 , CVE-2016-9262 , CVE-2016-9591 )

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A

specially crafted file could cause an application using JasPer to crash.

(CVE-2016-1867 , CVE-2016-2089 , CVE-2016-2116 , CVE-2016-8691 , CVE-2016-8692 ,

CVE-2016-8883 , CVE-2016-9387 , CVE-2016-9388 , CVE-2016-9389 , CVE-2016-9390 ,

CVE-2016-9391 , CVE-2016-9392 , CVE-2016-9393 , CVE-2016-9394 , CVE-2016-9583 ,

CVE-2016-9600 , CVE-2016-10248 , CVE-2016-10251)

An update for jasper is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard.

Security Fix(es) :

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600;
Gustavo Grieco for reporting CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221.

Security Fix(es) :

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Bump release

  - Multiple security fixes (fixed by thoger): CVE-2015-5203     CVE-2015-5221 CVE-2016-1577 CVE-2016-1867     (CVE-2016-2089) CVE-2016-2116 CVE-2016-8654     CVE-2016-8690 CVE-2016-8691 (CVE-2016-8692)     CVE-2016-8693 CVE-2016-8883 CVE-2016-8884 CVE-2016-8885     (CVE-2016-9262) CVE-2016-9387 CVE-2016-9388     CVE-2016-9389 CVE-2016-9390 (CVE-2016-9391)     CVE-2016-9392 CVE-2016-9393 CVE-2016-9394 CVE-2016-9560     (CVE-2016-9583) CVE-2016-9591 CVE-2016-9600     CVE-2016-10248 CVE-2016-10249 (CVE-2016-10251)

  - Fix implicit declaration warning caused by security     fixes above

  - CVE-2014-8157 - dec->numtiles off-by-one check in     jpc_dec_process_sot (#1183672)

  - CVE-2014-8158 - unrestricted stack memory use in     jpc_qmfb.c (#1183680)

  - CVE-2014-8137 - double-free in in jas_iccattrval_destroy     (#1173567)

  - CVE-2014-8138 - heap overflow in jp2_decode (#1173567)

  - CVE-2014-9029 - incorrect component number check in COC,     RGN and QCC marker segment decoders (#1171209)

From Red Hat Security Advisory 2017:1208 :

An update for jasper is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard.

Security Fix(es) :

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600;
Gustavo Grieco for reporting CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221.

This update for jasper to version 1.900.14 fixes several issues.

These security issues were fixed :

  - CVE-2016-8887: NULL pointer dereference in     jp2_colr_destroy (jp2_cod.c) (bsc#1006836)

  - CVE-2016-8886: memory allocation failure in jas_malloc     (jas_malloc.c) (bsc#1006599)

  - CVE-2016-8884,CVE-2016-8885: two NULL pointer     dereferences in bmp_getdata (incomplete fix for     CVE-2016-8690) (bsc#1007009)

  - CVE-2016-8883: assert in jpc_dec_tiledecode()     (bsc#1006598)

  - CVE-2016-8882: segfault / NULL pointer access in     jpc_pi_destroy (bsc#1006597)

  - CVE-2016-8881: Heap overflow in jpc_getuint16()     (bsc#1006593)

  - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()     (bsc#1006591)

  - CVE-2016-8693 Double free vulnerability in mem_close     (bsc#1005242)

  - CVE-2016-8691, CVE-2016-8692: Divide by zero in     jpc_dec_process_siz (bsc#1005090)

  - CVE-2016-8690: NULL pointer dereference in bmp_getdata     triggered by crafted BMP image (bsc#1005084)

  - CVE-2016-2116: Memory leak in the     jas_iccprof_createfrombuf function in JasPer allowed     remote attackers to cause a denial of service (memory     consumption) via a crafted ICC color profile in a JPEG     2000 image file (bsc#968373) 

  - CVE-2016-2089: invalid read in the JasPer's     jas_matrix_clip() function (bsc#963983)

  - CVE-2016-1867: Out-of-bounds Read in the JasPer's     jpc_pi_nextcprl() function (bsc#961886)

  - CVE-2015-5221: Use-after-free (and double-free) in     Jasper JPEG-200 (bsc#942553).

  - CVE-2015-5203: Double free corruption in JasPer     JPEG-2000 implementation (bsc#941919)

  - CVE-2008-3522: Buffer overflow in the jas_stream_printf     function in libjasper/base/jas_stream.c in JasPer might     have allowed context-dependent attackers to have an     unknown impact via vectors related to the mif_hdr_put     function and use of vsprintf (bsc#392410)

  - jasper: NULL pointer dereference in jp2_colr_destroy     (jp2_cod.c) (incomplete fix for CVE-2016-8887)     (bsc#1006839)

For additional change description please have a look at the changelog.

This update was imported from the SUSE:SLE-12:Update update project.

Security fix for CVE-2015-5203, CVE-2015-5221, CVE-2016-1867, CVE-2016-1577 and CVE-2016-2116.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for jasper fixes the following issues: Security fixes :

  - CVE-2016-8887: NULL pointer dereference in     jp2_colr_destroy (jp2_cod.c) (bsc#1006836)

  - CVE-2016-8886: memory allocation failure in jas_malloc     (jas_malloc.c) (bsc#1006599)

  - CVE-2016-8884,CVE-2016-8885: two NULL pointer     dereferences in bmp_getdata (incomplete fix for     CVE-2016-8690) (bsc#1007009)

  - CVE-2016-8883: assert in jpc_dec_tiledecode()     (bsc#1006598)

  - CVE-2016-8882: segfault / NULL pointer access in     jpc_pi_destroy (bsc#1006597)

  - CVE-2016-8881: Heap overflow in jpc_getuint16()     (bsc#1006593)

  - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()     (bsc#1006591)

  - CVE-2016-8693: Double free vulnerability in mem_close     (bsc#1005242)

  - CVE-2016-8691, CVE-2016-8692: Divide by zero in     jpc_dec_process_siz (bsc#1005090)

  - CVE-2016-8690: NULL pointer dereference in bmp_getdata     triggered by crafted BMP image (bsc#1005084)

  - CVE-2016-2089: invalid read in the JasPer's     jas_matrix_clip() function (bsc#963983)

  - CVE-2016-1867: Out-of-bounds Read in the JasPer's     jpc_pi_nextcprl() function (bsc#961886)

  - CVE-2016-1577, CVE-2016-2116: double free vulnerability     in the jas_iccattrval_destroy function (bsc#968373)

  - CVE-2015-5221: Use-after-free (and double-free) in     Jasper JPEG-200 (bsc#942553)

  - CVE-2015-5203: Double free corruption in JasPer     JPEG-2000 implementation (bsc#941919)

  - CVE-2008-3522: multiple integer overflows (bsc#392410)

  - bsc#1006839: NULL pointer dereference in     jp2_colr_destroy (jp2_cod.c) (incomplete fix for     CVE-2016-8887)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for jasper to version 1.900.14 fixes several issues. These security issues were fixed :

  - CVE-2016-8887: NULL pointer dereference in     jp2_colr_destroy (jp2_cod.c) (bsc#1006836)

  - CVE-2016-8886: memory allocation failure in jas_malloc     (jas_malloc.c) (bsc#1006599)

  - CVE-2016-8884,CVE-2016-8885: two NULL pointer     dereferences in bmp_getdata (incomplete fix for     CVE-2016-8690) (bsc#1007009)

  - CVE-2016-8883: assert in jpc_dec_tiledecode()     (bsc#1006598)

  - CVE-2016-8882: segfault / NULL pointer access in     jpc_pi_destroy (bsc#1006597)

  - CVE-2016-8881: Heap overflow in jpc_getuint16()     (bsc#1006593)

  - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()     (bsc#1006591)

  - CVE-2016-8693 Double free vulnerability in mem_close     (bsc#1005242)

  - CVE-2016-8691, CVE-2016-8692: Divide by zero in     jpc_dec_process_siz (bsc#1005090)

  - CVE-2016-8690: NULL pointer dereference in bmp_getdata     triggered by crafted BMP image (bsc#1005084)

  - CVE-2016-2116: Memory leak in the     jas_iccprof_createfrombuf function in JasPer allowed     remote attackers to cause a denial of service (memory     consumption) via a crafted ICC color profile in a JPEG     2000 image file (bsc#968373)

  - CVE-2016-2089: invalid read in the JasPer's     jas_matrix_clip() function (bsc#963983)

  - CVE-2016-1867: Out-of-bounds Read in the JasPer's     jpc_pi_nextcprl() function (bsc#961886)

  - CVE-2015-5221: Use-after-free (and double-free) in     Jasper JPEG-200 (bsc#942553).

  - CVE-2015-5203: Double free corruption in JasPer     JPEG-2000 implementation (bsc#941919)

  - CVE-2008-3522: Buffer overflow in the jas_stream_printf     function in libjasper/base/jas_stream.c in JasPer might     have allowed context-dependent attackers to have an     unknown impact via vectors related to the mif_hdr_put     function and use of vsprintf (bsc#392410)

  - jasper: NULL pointer dereference in jp2_colr_destroy     (jp2_cod.c) (incomplete fix for CVE-2016-8887)     (bsc#1006839) For additional change description please     have a look at the changelog.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for jasper to version 1.900.14 fixes several issues.

These security issues were fixed :

  - CVE-2008-3522: Buffer overflow in the jas_stream_printf     function in libjasper/base/jas_stream.c in JasPer might     have allowed context-dependent attackers to have an     unknown impact via vectors related to the mif_hdr_put     function and use of vsprintf (bsc#392410)

  - CVE-2015-5203: Double free corruption in JasPer     JPEG-2000 implementation (bsc#941919).

  - CVE-2015-5221: Use-after-free (and double-free) in     Jasper JPEG-200 (bsc#942553).

  - CVE-2016-1577: Double free vulnerability in the     jas_iccattrval_destroy function in JasPer allowed remote     attackers to cause a denial of service (crash) or     possibly execute arbitrary code via a crafted ICC color     profile in a JPEG 2000 image file, a different     vulnerability than CVE-2014-8137 (bsc#968373).

  - CVE-2016-2116: Memory leak in the     jas_iccprof_createfrombuf function in JasPer allowed     remote attackers to cause a denial of service (memory     consumption) via a crafted ICC color profile in a JPEG     2000 image file (bsc#968373)

  - CVE-2016-8690: NULL pointer dereference in bmp_getdata     triggered by crafted BMP image (bsc#1005084).

  - CVE-2016-8691, CVE-2016-8692: Missing range check on     XRsiz and YRsiz fields of SIZ marker segment     (bsc#1005090).

  - CVE-2016-8693: The memory stream interface allowed for a     buffer size of zero. The case of a zero-sized buffer was     not handled correctly, as it could lead to a double free     (bsc#1005242).

  - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()     (bsc#1006591).

  - CVE-2016-8881: Heap overflow in jpc_getuint16()     (bsc#1006593).

  - CVE-2016-8882: NULL pointer access in jpc_pi_destroy     (bsc#1006597).

  - CVE-2016-8883: Assert triggered in jpc_dec_tiledecode()     (bsc#1006598).

  - CVE-2016-8886: Memory allocation failure in jas_malloc     (jas_malloc.c) (bsc#1006599).

    For additional change description please have a look at     the changelog.

This update for jasper to version 1.900.14 fixes several issues.

These security issues were fixed :

  - CVE-2008-3522: Buffer overflow in the jas_stream_printf     function in libjasper/base/jas_stream.c in JasPer might     have allowed context-dependent attackers to have an     unknown impact via vectors related to the mif_hdr_put     function and use of vsprintf (bsc#392410)

  - CVE-2015-5203: Double free corruption in JasPer     JPEG-2000 implementation (bsc#941919).

  - CVE-2015-5221: Use-after-free (and double-free) in     Jasper JPEG-200 (bsc#942553).

  - CVE-2016-1577: Double free vulnerability in the     jas_iccattrval_destroy function in JasPer allowed remote     attackers to cause a denial of service (crash) or     possibly execute arbitrary code via a crafted ICC color     profile in a JPEG 2000 image file, a different     vulnerability than CVE-2014-8137 (bsc#968373).

  - CVE-2016-2116: Memory leak in the     jas_iccprof_createfrombuf function in JasPer allowed     remote attackers to cause a denial of service (memory     consumption) via a crafted ICC color profile in a JPEG     2000 image file (bsc#968373)

  - CVE-2016-8690: NULL pointer dereference in bmp_getdata     triggered by crafted BMP image (bsc#1005084).

  - CVE-2016-8691, CVE-2016-8692: Missing range check on     XRsiz and YRsiz fields of SIZ marker segment     (bsc#1005090).

  - CVE-2016-8693: The memory stream interface allowed for a     buffer size of zero. The case of a zero-sized buffer was     not handled correctly, as it could lead to a double free     (bsc#1005242).

  - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()     (bsc#1006591).

  - CVE-2016-8881: Heap overflow in jpc_getuint16()     (bsc#1006593).

  - CVE-2016-8882: NULL pointer access in jpc_pi_destroy     (bsc#1006597).

  - CVE-2016-8883: Assert triggered in jpc_dec_tiledecode()     (bsc#1006598).

  - CVE-2016-8886: Memory allocation failure in jas_malloc     (jas_malloc.c) (bsc#1006599).

For additional change description please have a look at the changelog.

Fix broken ABI

----

Security fix for CVE-2015-5203, CVE-2015-5221, CVE-2016-1867, CVE-2016-1577 and CVE-2016-2116.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in JasPer, a library for manipulating JPEG-2000 files. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2016-1577     Jacob Baines discovered a double-free flaw in the     jas_iccattrval_destroy function. A remote attacker could     exploit this flaw to cause an application using the     JasPer library to crash, or potentially, to execute     arbitrary code with the privileges of the user running     the application.

  - CVE-2016-2089     The Qihoo 360 Codesafe Team discovered a NULL pointer     dereference flaw within the jas_matrix_clip function. A     remote attacker could exploit this flaw to cause an     application using the JasPer library to crash, resulting     in a denial-of-service.

  - CVE-2016-2116     Tyler Hicks discovered a memory leak flaw in the     jas_iccprof_createfrombuf function. A remote attacker     could exploit this flaw to cause the JasPer library to     consume memory, resulting in a denial-of-service.

Jacob Baines discovered that JasPer incorrectly handled ICC color profiles in JPEG-2000 image files. If a user were tricked into opening a specially crafted JPEG-2000 image file, a remote attacker could cause JasPer to crash or possibly execute arbitrary code with user privileges. (CVE-2016-1577)

Tyler Hicks discovered that JasPer incorrectly handled memory when processing JPEG-2000 image files. If a user were tricked into opening a specially crafted JPEG-2000 image file, a remote attacker could cause JasPer to consume memory, resulting in a denial of service.
(CVE-2016-2116).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
127345	NewStart CGSL MAIN 4.05 : jasper Multiple Vulnerabilities (NS-SA-2019-0109)	Nessus	NewStart CGSL Local Security Checks	medium
101464	Virtuozzo 6 : jasper / jasper-devel / jasper-libs / jasper-utils (VZLSA-2017-1208)	Nessus	Virtuozzo Local Security Checks	medium
100812	EulerOS 2.0 SP2 : jasper (EulerOS-SA-2017-1095)	Nessus	Huawei Local Security Checks	medium
100811	EulerOS 2.0 SP1 : jasper (EulerOS-SA-2017-1094)	Nessus	Huawei Local Security Checks	medium
100637	Amazon Linux AMI : jasper (ALAS-2017-836)	Nessus	Amazon Linux Local Security Checks	critical
100174	CentOS 6 / 7 : jasper (CESA-2017:1208)	Nessus	CentOS Local Security Checks	medium
100120	Scientific Linux Security Update : jasper on SL6.x, SL7.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
100116	OracleVM 3.3 / 3.4 : jasper (OVMSA-2017-0102)	Nessus	OracleVM Local Security Checks	high
100093	RHEL 6 / 7 : jasper (RHSA-2017:1208)	Nessus	Red Hat Local Security Checks	medium
100089	Oracle Linux 6 / 7 : jasper (ELSA-2017-1208)	Nessus	Oracle Linux Local Security Checks	medium
94945	openSUSE Security Update : jasper (openSUSE-2016-1309)	Nessus	SuSE Local Security Checks	critical
94840	Fedora 25 : jasper (2016-9b17661de5)	Nessus	Fedora Local Security Checks	medium
94729	SUSE SLES11 Security Update : jasper (SUSE-SU-2016:2776-1)	Nessus	SuSE Local Security Checks	critical
94728	SUSE SLED12 / SLES12 Security Update : jasper (SUSE-SU-2016:2775-1)	Nessus	SuSE Local Security Checks	critical
94601	openSUSE Security Update : jasper (openSUSE-2016-1270)	Nessus	SuSE Local Security Checks	critical
94596	openSUSE Security Update : jasper (openSUSE-2016-1263)	Nessus	SuSE Local Security Checks	critical
93635	Fedora 23 : jasper (2016-bbecf64af4)	Nessus	Fedora Local Security Checks	medium
92972	Fedora 24 : jasper (2016-7776983633)	Nessus	Fedora Local Security Checks	medium
89698	Debian DSA-3508-1 : jasper - security update	Nessus	Debian Local Security Checks	medium
89660	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : jasper vulnerabilities (USN-2919-1)	Nessus	Ubuntu Local Security Checks	medium

CVE-2016-1577

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins