[oss-security] 20161022 Re: jasper: two NULL pointer dereference in bmp_getdata (bmp_dec.c) (Incomplete fix for CVE-2016-8690)

[oss-security] 20161023 Re: jasper: two NULL pointer dereference in bmp_getdata (bmp_dec.c) (Incomplete fix for CVE-2016-8690)

93834

RHSA-2017:1208

https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690/

https://bugzilla.redhat.com/show_bug.cgi?id=1385499

https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698

FEDORA-2016-6c789ba91d

FEDORA-2016-e0f0d48142

According to the versions of the jasper package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - Runtime libraries for jasper. Security Fix(es):Race     condition in the jas_stream_tmpfile function in     libjasper/base/jas_stream.c in JasPer 1.900.1 allows     local users to cause a denial of service (program exit)     by creating the appropriate tmp.XXXXXXXXXX temporary     file, which causes Jasper to exit. NOTE: this was     originally reported as a symlink issue, but this was     incorrect. NOTE: some vendors dispute the severity of     this issue, but it satisfies CVE's requirements for     inclusion.(CVE-2008-3521)Heap-based buffer overflow in     the jpc_dec_decodepkt function in jpc_t2dec.c in JasPer     2.0.10 allows remote attackers to have unspecified     impact via a crafted image.(CVE-2017-6852)The     jp2_colr_destroy function in jp2_cod.c in JasPer before     1.900.13 allows remote attackers to cause a denial of     service (NULL pointer dereference) by leveraging     incorrect cleanup of JP2 box data on error. NOTE: this     vulnerability exists because of an incomplete fix for     CVE-2016-8887.(CVE-2016-10250)The jp2_cdef_destroy     function in jp2_cod.c in JasPer before 2.0.13 allows     remote attackers to cause a denial of service (NULL     pointer dereference) via a crafted     image.(CVE-2017-6850)The jp2_colr_destroy function in     libjasper/jp2/jp2_cod.c in JasPer before 1.900.10     allows remote attackers to cause a denial of service     (NULL pointer dereference).(CVE-2016-8887)The     jpc_floorlog2 function in jpc_math.c in JasPer before     1.900.17 allows remote attackers to cause a denial of     service (assertion failure) via unspecified     vectors.(CVE-2016-9398)JasPer 2.0.12 is vulnerable to a     NULL pointer exception in the function jp2_encode which     failed to check to see if the image contained at least     one component resulting in a     denial-of-service.(CVE-2017-1000050)The jpc_pi_nextrpcl     function in jpc_t2cod.c in JasPer before 1.900.17     allows remote attackers to cause a denial of service     (assertion failure) via a crafted     file.(CVE-2016-9393)The bmp_getdata function in     libjasper/bmp/bmp_dec.c in JasPer 1.900.5 allows remote     attackers to cause a denial of service (NULL pointer     dereference) by calling the imginfo command with a     crafted BMP image. NOTE: this vulnerability exists     because of an incomplete fix for     CVE-2016-8690.(CVE-2016-8884)There is a reachable     assertion abort in the function jpc_dequantize() in     jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a     remote denial of service attack.(CVE-2017-13752)The     jpc_dequantize function in jpc_dec.c in JasPer 1.900.13     allows remote attackers to cause a denial of service     (assertion failure) via unspecified     vectors.(CVE-2016-9397)There is a reachable assertion     abort in the function jpc_floorlog2() in jpc/jpc_math.c     in JasPer 2.0.12 that will lead to a remote denial of     service attack.(CVE-2017-13747)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version MAIN 4.05, has jasper packages installed that are affected by multiple vulnerabilities:

  - JasPer before version 2.0.10 is vulnerable to a null     pointer dereference was found in the decoded creation of     JPEG 2000 image files. A specially crafted file could     cause an application using JasPer to crash.
    (CVE-2016-9600)

  - A use-after-free flaw was found in the way JasPer,     before version 2.0.12, decode certain JPEG 2000 image     files. A specially crafted file could cause an     application using JasPer to crash. (CVE-2016-9591)

  - An out-of-bounds heap read vulnerability was found in     the jpc_pi_nextpcrl() function of jasper before 2.0.6     when processing crafted input. (CVE-2016-9583)

  - A heap-buffer overflow vulnerability was found in QMFB     code in JPC codec caused by buffer being allocated with     too small size. jasper versions before 2.0.0 are     affected. (CVE-2016-8654)

  - Stack-based buffer overflow in the jpc_tsfb_getbands2     function in jpc_tsfb.c in JasPer before 1.900.30 allows     remote attackers to have unspecified impact via a     crafted image. (CVE-2016-9560)

  - Multiple integer overflows in the (1) jas_realloc     function in base/jas_malloc.c and (2) mem_resize     function in base/jas_stream.c in JasPer before 1.900.22     allow remote attackers to cause a denial of service via     a crafted image, which triggers use after free     vulnerabilities. (CVE-2016-9262)

  - Integer overflow in the jpc_pi_nextcprl function in     jpc_t2cod.c in JasPer before 1.900.20 allows remote     attackers to have unspecified impact via a crafted file,     which triggers use of an uninitialized value.
    (CVE-2016-10251)

  - The jpc_pi_nextrpcl function in jpc_t2cod.c in JasPer     before 1.900.17 allows remote attackers to cause a     denial of service (assertion failure) via a crafted     file. (CVE-2016-9393)

  - The calcstepsizes function in jpc_dec.c in JasPer before     1.900.17 allows remote attackers to cause a denial of     service (assertion failure) via a crafted file.
    (CVE-2016-9392)

  - The jas_seq2d_create function in jas_seq.c in JasPer     before 1.900.17 allows remote attackers to cause a     denial of service (assertion failure) via a crafted     file. (CVE-2016-9394)

  - The jpc_bitstream_getbits function in jpc_bs.c in JasPer     before 2.0.10 allows remote attackers to cause a denial     of service (assertion failure) via a very large integer.
    (CVE-2016-9391)

  - The ras_getcmap function in ras_dec.c in JasPer before     1.900.14 allows remote attackers to cause a denial of     service (assertion failure) via a crafted image file.
    (CVE-2016-9388)

  - The jpc_irct and jpc_iict functions in jpc_mct.c in     JasPer before 1.900.14 allow remote attackers to cause a     denial of service (assertion failure). (CVE-2016-9389)

  - The jas_seq2d_create function in jas_seq.c in JasPer     before 1.900.14 allows remote attackers to cause a     denial of service (assertion failure) via a crafted     image file. (CVE-2016-9390)

  - Integer overflow in the jpc_dec_process_siz function in     libjasper/jpc/jpc_dec.c in JasPer before 1.900.13 allows     remote attackers to have unspecified impact via a     crafted file, which triggers an assertion failure.
    (CVE-2016-9387)

  - Integer overflow in the jpc_dec_tiledecode function in     jpc_dec.c in JasPer before 1.900.12 allows remote     attackers to have unspecified impact via a crafted image     file, which triggers a heap-based buffer overflow.
    (CVE-2016-10249)

  - The jpc_tsfb_synthesize function in jpc_tsfb.c in JasPer     before 1.900.9 allows remote attackers to cause a denial     of service (NULL pointer dereference) via vectors     involving an empty sequence. (CVE-2016-10248)

  - The jpc_dec_tiledecode function in jpc_dec.c in JasPer     before 1.900.8 allows remote attackers to cause a denial     of service (assertion failure) via a crafted file.
    (CVE-2016-8883)

  - The jpc_dec_process_siz function in     libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows     remote attackers to cause a denial of service (divide-     by-zero error and application crash) via a crafted YRsiz     value in a BMP image to the imginfo command.
    (CVE-2016-8692)

  - The bmp_getdata function in libjasper/bmp/bmp_dec.c in     JasPer 1.900.5 allows remote attackers to cause a denial     of service (NULL pointer dereference) by calling the     imginfo command with a crafted BMP image. NOTE: this     vulnerability exists because of an incomplete fix for     CVE-2016-8690. (CVE-2016-8884)

  - Double free vulnerability in the mem_close function in     jas_stream.c in JasPer before 1.900.10 allows remote     attackers to cause a denial of service (crash) or     possibly execute arbitrary code via a crafted BMP image     to the imginfo command. (CVE-2016-8693)

  - The bmp_getdata function in libjasper/bmp/bmp_dec.c in     JasPer before 1.900.5 allows remote attackers to cause a     denial of service (NULL pointer dereference) via a     crafted BMP image in an imginfo command. (CVE-2016-8690)

  - The bmp_getdata function in libjasper/bmp/bmp_dec.c in     JasPer before 1.900.9 allows remote attackers to cause a     denial of service (NULL pointer dereference) by calling     the imginfo command with a crafted BMP image.
    (CVE-2016-8885)

  - The jpc_dec_process_siz function in     libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows     remote attackers to cause a denial of service (divide-     by-zero error and application crash) via a crafted XRsiz     value in a BMP image to the imginfo command.
    (CVE-2016-8691)

  - Double free vulnerability in the jas_iccattrval_destroy     function in JasPer 1.900.1 and earlier allows remote     attackers to cause a denial of service (crash) or     possibly execute arbitrary code via a crafted ICC color     profile in a JPEG 2000 image file, a different     vulnerability than CVE-2014-8137. (CVE-2016-1577)

  - Memory leak in the jas_iccprof_createfrombuf function in     JasPer 1.900.1 and earlier allows remote attackers to     cause a denial of service (memory consumption) via a     crafted ICC color profile in a JPEG 2000 image file.
    (CVE-2016-2116)

  - The jas_matrix_clip function in jas_seq.c in JasPer     1.900.1 allows remote attackers to cause a denial of     service (invalid read and application crash) via a     crafted JPEG 2000 image. (CVE-2016-2089)

  - Double free vulnerability in the jasper_image_stop_load     function in JasPer 1.900.17 allows remote attackers to     cause a denial of service (crash) via a crafted JPEG     2000 image file. (CVE-2015-5203)

  - The jpc_pi_nextcprl function in JasPer 1.900.1 allows     remote attackers to cause a denial of service (out-of-     bounds read and application crash) via a crafted JPEG     2000 image. (CVE-2016-1867)

  - Use-after-free vulnerability in the mif_process_cmpt     function in libjasper/mif/mif_cod.c in the JasPer     JPEG-2000 library before 1.900.2 allows remote attackers     to cause a denial of service (crash) via a crafted JPEG     2000 image file. (CVE-2015-5221)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for jasper is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard.

Security Fix(es) :

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600;
Gustavo Grieco for reporting CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221.

Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the jasper package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Multiple flaws were found in the way JasPer decoded     JPEG 2000 image files. A specially crafted file could     cause an application using JasPer to crash or,     possibly, execute arbitrary code. (CVE-2016-8654,     CVE-2016-9560, CVE-2016-10249, CVE-2015-5203,     CVE-2015-5221, CVE-2016-1577, CVE-2016-8690,     CVE-2016-8693, CVE-2016-8884, CVE-2016-8885,     CVE-2016-9262, CVE-2016-9591)

  - Multiple flaws were found in the way JasPer decoded     JPEG 2000 image files. A specially crafted file could     cause an application using JasPer to crash.
    (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116,     CVE-2016-8691, CVE-2016-8692, CVE-2016-8883,     CVE-2016-9387, CVE-2016-9388, CVE-2016-9389,     CVE-2016-9390, CVE-2016-9391, CVE-2016-9392,     CVE-2016-9393, CVE-2016-9394, CVE-2016-9583,     CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A

specially crafted file could cause an application using JasPer to crash or,

possibly, execute arbitrary code. ( CVE-2016-8654 , CVE-2016-9560 , CVE-2016-10249 ,

CVE-2015-5203 , CVE-2015-5221 , CVE-2016-1577 , CVE-2016-8690 , CVE-2016-8693 ,

CVE-2016-8884 , CVE-2016-8885 , CVE-2016-9262 , CVE-2016-9591 )

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A

specially crafted file could cause an application using JasPer to crash.

(CVE-2016-1867 , CVE-2016-2089 , CVE-2016-2116 , CVE-2016-8691 , CVE-2016-8692 ,

CVE-2016-8883 , CVE-2016-9387 , CVE-2016-9388 , CVE-2016-9389 , CVE-2016-9390 ,

CVE-2016-9391 , CVE-2016-9392 , CVE-2016-9393 , CVE-2016-9394 , CVE-2016-9583 ,

CVE-2016-9600 , CVE-2016-10248 , CVE-2016-10251)

An update for jasper is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard.

Security Fix(es) :

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600;
Gustavo Grieco for reporting CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221.

Security Fix(es) :

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Bump release

  - Multiple security fixes (fixed by thoger): CVE-2015-5203     CVE-2015-5221 CVE-2016-1577 CVE-2016-1867     (CVE-2016-2089) CVE-2016-2116 CVE-2016-8654     CVE-2016-8690 CVE-2016-8691 (CVE-2016-8692)     CVE-2016-8693 CVE-2016-8883 CVE-2016-8884 CVE-2016-8885     (CVE-2016-9262) CVE-2016-9387 CVE-2016-9388     CVE-2016-9389 CVE-2016-9390 (CVE-2016-9391)     CVE-2016-9392 CVE-2016-9393 CVE-2016-9394 CVE-2016-9560     (CVE-2016-9583) CVE-2016-9591 CVE-2016-9600     CVE-2016-10248 CVE-2016-10249 (CVE-2016-10251)

  - Fix implicit declaration warning caused by security     fixes above

  - CVE-2014-8157 - dec->numtiles off-by-one check in     jpc_dec_process_sot (#1183672)

  - CVE-2014-8158 - unrestricted stack memory use in     jpc_qmfb.c (#1183680)

  - CVE-2014-8137 - double-free in in jas_iccattrval_destroy     (#1173567)

  - CVE-2014-8138 - heap overflow in jp2_decode (#1173567)

  - CVE-2014-9029 - incorrect component number check in COC,     RGN and QCC marker segment decoders (#1171209)

From Red Hat Security Advisory 2017:1208 :

An update for jasper is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard.

Security Fix(es) :

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)

Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)

Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600;
Gustavo Grieco for reporting CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221.

This update for jasper to version 1.900.14 fixes several issues.

These security issues were fixed :

  - CVE-2016-8887: NULL pointer dereference in     jp2_colr_destroy (jp2_cod.c) (bsc#1006836)

  - CVE-2016-8886: memory allocation failure in jas_malloc     (jas_malloc.c) (bsc#1006599)

  - CVE-2016-8884,CVE-2016-8885: two NULL pointer     dereferences in bmp_getdata (incomplete fix for     CVE-2016-8690) (bsc#1007009)

  - CVE-2016-8883: assert in jpc_dec_tiledecode()     (bsc#1006598)

  - CVE-2016-8882: segfault / NULL pointer access in     jpc_pi_destroy (bsc#1006597)

  - CVE-2016-8881: Heap overflow in jpc_getuint16()     (bsc#1006593)

  - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()     (bsc#1006591)

  - CVE-2016-8693 Double free vulnerability in mem_close     (bsc#1005242)

  - CVE-2016-8691, CVE-2016-8692: Divide by zero in     jpc_dec_process_siz (bsc#1005090)

  - CVE-2016-8690: NULL pointer dereference in bmp_getdata     triggered by crafted BMP image (bsc#1005084)

  - CVE-2016-2116: Memory leak in the     jas_iccprof_createfrombuf function in JasPer allowed     remote attackers to cause a denial of service (memory     consumption) via a crafted ICC color profile in a JPEG     2000 image file (bsc#968373) 

  - CVE-2016-2089: invalid read in the JasPer's     jas_matrix_clip() function (bsc#963983)

  - CVE-2016-1867: Out-of-bounds Read in the JasPer's     jpc_pi_nextcprl() function (bsc#961886)

  - CVE-2015-5221: Use-after-free (and double-free) in     Jasper JPEG-200 (bsc#942553).

  - CVE-2015-5203: Double free corruption in JasPer     JPEG-2000 implementation (bsc#941919)

  - CVE-2008-3522: Buffer overflow in the jas_stream_printf     function in libjasper/base/jas_stream.c in JasPer might     have allowed context-dependent attackers to have an     unknown impact via vectors related to the mif_hdr_put     function and use of vsprintf (bsc#392410)

  - jasper: NULL pointer dereference in jp2_colr_destroy     (jp2_cod.c) (incomplete fix for CVE-2016-8887)     (bsc#1006839)

For additional change description please have a look at the changelog.

This update was imported from the SUSE:SLE-12:Update update project.

This update for jasper fixes the following issues: Security fixes :

  - CVE-2016-8887: NULL pointer dereference in     jp2_colr_destroy (jp2_cod.c) (bsc#1006836)

  - CVE-2016-8886: memory allocation failure in jas_malloc     (jas_malloc.c) (bsc#1006599)

  - CVE-2016-8884,CVE-2016-8885: two NULL pointer     dereferences in bmp_getdata (incomplete fix for     CVE-2016-8690) (bsc#1007009)

  - CVE-2016-8883: assert in jpc_dec_tiledecode()     (bsc#1006598)

  - CVE-2016-8882: segfault / NULL pointer access in     jpc_pi_destroy (bsc#1006597)

  - CVE-2016-8881: Heap overflow in jpc_getuint16()     (bsc#1006593)

  - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()     (bsc#1006591)

  - CVE-2016-8693: Double free vulnerability in mem_close     (bsc#1005242)

  - CVE-2016-8691, CVE-2016-8692: Divide by zero in     jpc_dec_process_siz (bsc#1005090)

  - CVE-2016-8690: NULL pointer dereference in bmp_getdata     triggered by crafted BMP image (bsc#1005084)

  - CVE-2016-2089: invalid read in the JasPer's     jas_matrix_clip() function (bsc#963983)

  - CVE-2016-1867: Out-of-bounds Read in the JasPer's     jpc_pi_nextcprl() function (bsc#961886)

  - CVE-2016-1577, CVE-2016-2116: double free vulnerability     in the jas_iccattrval_destroy function (bsc#968373)

  - CVE-2015-5221: Use-after-free (and double-free) in     Jasper JPEG-200 (bsc#942553)

  - CVE-2015-5203: Double free corruption in JasPer     JPEG-2000 implementation (bsc#941919)

  - CVE-2008-3522: multiple integer overflows (bsc#392410)

  - bsc#1006839: NULL pointer dereference in     jp2_colr_destroy (jp2_cod.c) (incomplete fix for     CVE-2016-8887)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for jasper to version 1.900.14 fixes several issues. These security issues were fixed :

  - CVE-2016-8887: NULL pointer dereference in     jp2_colr_destroy (jp2_cod.c) (bsc#1006836)

  - CVE-2016-8886: memory allocation failure in jas_malloc     (jas_malloc.c) (bsc#1006599)

  - CVE-2016-8884,CVE-2016-8885: two NULL pointer     dereferences in bmp_getdata (incomplete fix for     CVE-2016-8690) (bsc#1007009)

  - CVE-2016-8883: assert in jpc_dec_tiledecode()     (bsc#1006598)

  - CVE-2016-8882: segfault / NULL pointer access in     jpc_pi_destroy (bsc#1006597)

  - CVE-2016-8881: Heap overflow in jpc_getuint16()     (bsc#1006593)

  - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()     (bsc#1006591)

  - CVE-2016-8693 Double free vulnerability in mem_close     (bsc#1005242)

  - CVE-2016-8691, CVE-2016-8692: Divide by zero in     jpc_dec_process_siz (bsc#1005090)

  - CVE-2016-8690: NULL pointer dereference in bmp_getdata     triggered by crafted BMP image (bsc#1005084)

  - CVE-2016-2116: Memory leak in the     jas_iccprof_createfrombuf function in JasPer allowed     remote attackers to cause a denial of service (memory     consumption) via a crafted ICC color profile in a JPEG     2000 image file (bsc#968373)

  - CVE-2016-2089: invalid read in the JasPer's     jas_matrix_clip() function (bsc#963983)

  - CVE-2016-1867: Out-of-bounds Read in the JasPer's     jpc_pi_nextcprl() function (bsc#961886)

  - CVE-2015-5221: Use-after-free (and double-free) in     Jasper JPEG-200 (bsc#942553).

  - CVE-2015-5203: Double free corruption in JasPer     JPEG-2000 implementation (bsc#941919)

  - CVE-2008-3522: Buffer overflow in the jas_stream_printf     function in libjasper/base/jas_stream.c in JasPer might     have allowed context-dependent attackers to have an     unknown impact via vectors related to the mif_hdr_put     function and use of vsprintf (bsc#392410)

  - jasper: NULL pointer dereference in jp2_colr_destroy     (jp2_cod.c) (incomplete fix for CVE-2016-8887)     (bsc#1006839) For additional change description please     have a look at the changelog.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update contains security fix for CVE-2016-8883, CVE-2016-8882, CVE-2016-8881, CVE-2016-8880, CVE-2016-8884, CVE-2016-8885, CVE-2016-8887, CVE-2016-8886.

----

New version of jasper is available (jasper-1.900.13). Security fix for CVE-2016-8690, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693.

----

New version of jasper is available (1.900.3)

----

Security fix for CVE-2016-2089

----

New version of jasper is available.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for jasper to version 1.900.14 fixes several issues.

These security issues were fixed :

  - CVE-2008-3522: Buffer overflow in the jas_stream_printf     function in libjasper/base/jas_stream.c in JasPer might     have allowed context-dependent attackers to have an     unknown impact via vectors related to the mif_hdr_put     function and use of vsprintf (bsc#392410)

  - CVE-2015-5203: Double free corruption in JasPer     JPEG-2000 implementation (bsc#941919).

  - CVE-2015-5221: Use-after-free (and double-free) in     Jasper JPEG-200 (bsc#942553).

  - CVE-2016-1577: Double free vulnerability in the     jas_iccattrval_destroy function in JasPer allowed remote     attackers to cause a denial of service (crash) or     possibly execute arbitrary code via a crafted ICC color     profile in a JPEG 2000 image file, a different     vulnerability than CVE-2014-8137 (bsc#968373).

  - CVE-2016-2116: Memory leak in the     jas_iccprof_createfrombuf function in JasPer allowed     remote attackers to cause a denial of service (memory     consumption) via a crafted ICC color profile in a JPEG     2000 image file (bsc#968373)

  - CVE-2016-8690: NULL pointer dereference in bmp_getdata     triggered by crafted BMP image (bsc#1005084).

  - CVE-2016-8691, CVE-2016-8692: Missing range check on     XRsiz and YRsiz fields of SIZ marker segment     (bsc#1005090).

  - CVE-2016-8693: The memory stream interface allowed for a     buffer size of zero. The case of a zero-sized buffer was     not handled correctly, as it could lead to a double free     (bsc#1005242).

  - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()     (bsc#1006591).

  - CVE-2016-8881: Heap overflow in jpc_getuint16()     (bsc#1006593).

  - CVE-2016-8882: NULL pointer access in jpc_pi_destroy     (bsc#1006597).

  - CVE-2016-8883: Assert triggered in jpc_dec_tiledecode()     (bsc#1006598).

  - CVE-2016-8886: Memory allocation failure in jas_malloc     (jas_malloc.c) (bsc#1006599).

    For additional change description please have a look at     the changelog.

ID	Name	Product	Family	Severity
134477	EulerOS Virtualization for ARM 64 3.0.2.0 : jasper (EulerOS-SA-2020-1188)	Nessus	Huawei Local Security Checks	high
127345	NewStart CGSL MAIN 4.05 : jasper Multiple Vulnerabilities (NS-SA-2019-0109)	Nessus	NewStart CGSL Local Security Checks	high
101464	Virtuozzo 6 : jasper / jasper-devel / jasper-libs / jasper-utils (VZLSA-2017-1208)	Nessus	Virtuozzo Local Security Checks	high
100812	EulerOS 2.0 SP2 : jasper (EulerOS-SA-2017-1095)	Nessus	Huawei Local Security Checks	high
100811	EulerOS 2.0 SP1 : jasper (EulerOS-SA-2017-1094)	Nessus	Huawei Local Security Checks	high
100637	Amazon Linux AMI : jasper (ALAS-2017-836)	Nessus	Amazon Linux Local Security Checks	critical
100174	CentOS 6 / 7 : jasper (CESA-2017:1208)	Nessus	CentOS Local Security Checks	high
100120	Scientific Linux Security Update : jasper on SL6.x, SL7.x i386/x86_64 (20170509)	Nessus	Scientific Linux Local Security Checks	high
100116	OracleVM 3.3 / 3.4 : jasper (OVMSA-2017-0102)	Nessus	OracleVM Local Security Checks	high
100093	RHEL 6 / 7 : jasper (RHSA-2017:1208)	Nessus	Red Hat Local Security Checks	high
100089	Oracle Linux 6 / 7 : jasper (ELSA-2017-1208)	Nessus	Oracle Linux Local Security Checks	high
94945	openSUSE Security Update : jasper (openSUSE-2016-1309)	Nessus	SuSE Local Security Checks	high
94729	SUSE SLES11 Security Update : jasper (SUSE-SU-2016:2776-1)	Nessus	SuSE Local Security Checks	high
94728	SUSE SLED12 / SLES12 Security Update : jasper (SUSE-SU-2016:2775-1)	Nessus	SuSE Local Security Checks	high
94689	Fedora 23 : jasper (2016-6c789ba91d)	Nessus	Fedora Local Security Checks	high
94662	Fedora 24 : jasper (2016-e0f0d48142)	Nessus	Fedora Local Security Checks	high
94601	openSUSE Security Update : jasper (openSUSE-2016-1270)	Nessus	SuSE Local Security Checks	high

CVE-2016-8884

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

high

high

high

high

critical

high

high

high

high

high

high

high

high

high

high

high