100514

https://bugzilla.redhat.com/show_bug.cgi?id=1485287

[debian-lts-announce] 20181121 [SECURITY] [DLA 1583-1] jasper security update

FEDORA-2021-0a6290f865

FEDORA-2021-2b151590d9

GLSA-201908-03

The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-0a6290f865 advisory.

  - The JPC_NOMINALGAIN function in jpc/jpc_t1cod.c in JasPer through 2.0.12 allows remote attackers to cause     a denial of service (JPC_COX_RFT assertion failure) via unspecified vectors. (CVE-2016-9396)

  - The jpc_dequantize function in jpc_dec.c in JasPer 1.900.13 allows remote attackers to cause a denial of     service (assertion failure) via unspecified vectors. (CVE-2016-9397)

  - The jpc_floorlog2 function in jpc_math.c in JasPer before 1.900.17 allows remote attackers to cause a     denial of service (assertion failure) via unspecified vectors. (CVE-2016-9398)

  - The calcstepsizes function in jpc_dec.c in JasPer 1.900.22 allows remote attackers to cause a denial of     service (assertion failure) via unspecified vectors. (CVE-2016-9399)

  - There is a reachable assertion abort in the function jpc_dec_process_sot() in jpc/jpc_dec.c in JasPer     2.0.12 that will lead to a remote denial of service attack by triggering an unexpected     jpc_ppmstabtostreams return value, a different vulnerability than CVE-2018-9154. (CVE-2017-13745)

  - There is a reachable assertion abort in the function jpc_dec_process_siz() in jpc/jpc_dec.c:1297 in JasPer     2.0.12 that will lead to a remote denial of service attack. (CVE-2017-13746)

  - There is a reachable assertion abort in the function jpc_floorlog2() in jpc/jpc_math.c in JasPer 2.0.12     that will lead to a remote denial of service attack. (CVE-2017-13747)

  - There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in     base/jas_string.c, that will lead to a remote denial of service attack. (CVE-2017-13748)

  - There is a reachable assertion abort in the function jpc_pi_nextrpcl() in jpc/jpc_t2cod.c in JasPer 2.0.12     that will lead to a remote denial of service attack. (CVE-2017-13749)

  - There is a reachable assertion abort in the function jpc_dec_process_siz() in jpc/jpc_dec.c:1296 in JasPer     2.0.12 that will lead to a remote denial of service attack. (CVE-2017-13750)

  - There is a reachable assertion abort in the function calcstepsizes() in jpc/jpc_dec.c in JasPer 2.0.12     that will lead to a remote denial of service attack. (CVE-2017-13751)

  - There is a reachable assertion abort in the function jpc_dequantize() in jpc/jpc_dec.c in JasPer 2.0.12     that will lead to a remote denial of service attack. (CVE-2017-13752)

  - JasPer 1.900.8, 1.900.9, 1.900.10, 1.900.11, 1.900.12, 1.900.13, 1.900.14, 1.900.15, 1.900.16, 1.900.17,     1.900.18, 1.900.19, 1.900.20, 1.900.21, 1.900.22, 1.900.23, 1.900.24, 1.900.25, 1.900.26, 1.900.27,     1.900.28, 1.900.29, 1.900.30, 1.900.31, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8,     2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16 allows remote attackers to cause a denial of     service (heap-based buffer over-read and application crash) via a crafted image, related to the     jas_image_ishomosamp function in libjasper/base/jas_image.c. (CVE-2017-14132)

  - JasPer 2.0.12 is vulnerable to a NULL pointer exception in the function jp2_encode which failed to check     to see if the image contained at least one component resulting in a denial-of-service. (CVE-2017-1000050)

  - There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an     attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality,     integrity, or application availability. (CVE-2020-27828)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-2b151590d9 advisory.

  - The JPC_NOMINALGAIN function in jpc/jpc_t1cod.c in JasPer through 2.0.12 allows remote attackers to cause     a denial of service (JPC_COX_RFT assertion failure) via unspecified vectors. (CVE-2016-9396)

  - The jpc_dequantize function in jpc_dec.c in JasPer 1.900.13 allows remote attackers to cause a denial of     service (assertion failure) via unspecified vectors. (CVE-2016-9397)

  - The jpc_floorlog2 function in jpc_math.c in JasPer before 1.900.17 allows remote attackers to cause a     denial of service (assertion failure) via unspecified vectors. (CVE-2016-9398)

  - The calcstepsizes function in jpc_dec.c in JasPer 1.900.22 allows remote attackers to cause a denial of     service (assertion failure) via unspecified vectors. (CVE-2016-9399)

  - There is a reachable assertion abort in the function jpc_dec_process_sot() in jpc/jpc_dec.c in JasPer     2.0.12 that will lead to a remote denial of service attack by triggering an unexpected     jpc_ppmstabtostreams return value, a different vulnerability than CVE-2018-9154. (CVE-2017-13745)

  - There is a reachable assertion abort in the function jpc_dec_process_siz() in jpc/jpc_dec.c:1297 in JasPer     2.0.12 that will lead to a remote denial of service attack. (CVE-2017-13746)

  - There is a reachable assertion abort in the function jpc_floorlog2() in jpc/jpc_math.c in JasPer 2.0.12     that will lead to a remote denial of service attack. (CVE-2017-13747)

  - There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in     base/jas_string.c, that will lead to a remote denial of service attack. (CVE-2017-13748)

  - There is a reachable assertion abort in the function jpc_pi_nextrpcl() in jpc/jpc_t2cod.c in JasPer 2.0.12     that will lead to a remote denial of service attack. (CVE-2017-13749)

  - There is a reachable assertion abort in the function jpc_dec_process_siz() in jpc/jpc_dec.c:1296 in JasPer     2.0.12 that will lead to a remote denial of service attack. (CVE-2017-13750)

  - There is a reachable assertion abort in the function calcstepsizes() in jpc/jpc_dec.c in JasPer 2.0.12     that will lead to a remote denial of service attack. (CVE-2017-13751)

  - There is a reachable assertion abort in the function jpc_dequantize() in jpc/jpc_dec.c in JasPer 2.0.12     that will lead to a remote denial of service attack. (CVE-2017-13752)

  - JasPer 1.900.8, 1.900.9, 1.900.10, 1.900.11, 1.900.12, 1.900.13, 1.900.14, 1.900.15, 1.900.16, 1.900.17,     1.900.18, 1.900.19, 1.900.20, 1.900.21, 1.900.22, 1.900.23, 1.900.24, 1.900.25, 1.900.26, 1.900.27,     1.900.28, 1.900.29, 1.900.30, 1.900.31, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8,     2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16 allows remote attackers to cause a denial of     service (heap-based buffer over-read and application crash) via a crafted image, related to the     jas_image_ishomosamp function in libjasper/base/jas_image.c. (CVE-2017-14132)

  - JasPer 2.0.12 is vulnerable to a NULL pointer exception in the function jp2_encode which failed to check     to see if the image contained at least one component resulting in a denial-of-service. (CVE-2017-1000050)

  - There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an     attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality,     integrity, or application availability. (CVE-2020-27828)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

JasPer NEWS :

- Fix CVE-2018-9154

- Fix CVE-2018-19541

- Fix CVE-2016-9399, CVE-2017-13751

- Fix CVE-2018-19540

- Fix CVE-2018-9055

- Fix CVE-2017-13748

- Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505

- Fix CVE-2018-9252

- Fix CVE-2018-19139

- Fix CVE-2018-19543, CVE-2017-9782

- Fix CVE-2018-20570

- Fix CVE-2018-20622

- Fix CVE-2016-9398

- Fix CVE-2017-14132

- Fix CVE-2017-5499

- Fix CVE-2018-18873

- Fix CVE-2017-13750

According to the versions of the jasper package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - JasPer 2.0.14 allows denial of service via a reachable     assertion in the function jpc_firstone in     libjasper/jpc/jpc_math.c.(CVE-2018-9055)

  - An issue was discovered in JasPer 2.0.14. There is a     NULL pointer dereference in the function jp2_decode in     libjasper/jp2/jp2_dec.c, leading to a denial of     service.(CVE-2018-19542)

  - An issue was discovered in JasPer 2.0.14. There is an     access violation in the function jas_image_readcmpt in     libjasper/base/jas_image.c, leading to a denial of     service.(CVE-2018-19539)

  - JasPer 2.0.13 allows remote attackers to cause a denial     of service (heap-based buffer over-read and application     crash) via a crafted image, related to the     jas_image_ishomosamp function in     libjasper/base/jas_image.c.(CVE-2017-14132)

  - There are lots of memory leaks in JasPer 2.0.12,     triggered in the function jas_strdup() in     base/jas_string.c, that will lead to a remote denial of     service attack.(CVE-2017-13748)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the jasper package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - There are lots of memory leaks in JasPer 2.0.12,     triggered in the function jas_strdup() in     base/jas_string.c, that will lead to a remote denial of     service attack.(CVE-2017-13748)

  - JasPer 2.0.13 allows remote attackers to cause a denial     of service (heap-based buffer over-read and application     crash) via a crafted image, related to the     jas_image_ishomosamp function in     libjasper/base/jas_image.c.(CVE-2017-14132)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the jasper package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in JasPer 2.0.14. There is a     heap-based buffer overflow of size 1 in the function     jas_icctxtdesc_input in     libjasper/base/jas_icc.c.(CVE-2018-19540)

  - An issue was discovered in JasPer 2.0.14. There is a     heap-based buffer over-read of size 8 in the function     jas_image_depalettize in     libjasper/base/jas_image.c.(CVE-2018-19541)

  - An issue was discovered in JasPer 2.0.14. There is a     NULL pointer dereference in the function jp2_decode in     libjasper/jp2/jp2_dec.c, leading to a denial of     service.(CVE-2018-19542)

  - An issue was discovered in JasPer 2.0.14. There is an     access violation in the function jas_image_readcmpt in     libjasper/base/jas_image.c, leading to a denial of     service.(CVE-2018-19539)

  - Heap-based buffer overflow in the jpc_dec_decodepkt     function in jpc_t2dec.c in JasPer 2.0.10 allows remote     attackers to have unspecified impact via a crafted     image.(CVE-2017-6852)

  - JasPer 2.0.14 allows denial of service via a reachable     assertion in the function jpc_firstone in     libjasper/jpc/jpc_math.c.(CVE-2018-9055)

  - The jpc_floorlog2 function in jpc_math.c in JasPer     before 1.900.17 allows remote attackers to cause a     denial of service (assertion failure) via unspecified     vectors.(CVE-2016-9398)

  - There are lots of memory leaks in JasPer 2.0.12,     triggered in the function jas_strdup() in     base/jas_string.c, that will lead to a remote denial of     service attack.(CVE-2017-13748)

  - There is a reachable assertion abort in the function     calcstepsizes() in jpc/jpc_dec.c in JasPer 2.0.12 that     will lead to a remote denial of service     attack.(CVE-2017-13751)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the jasper package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The jpc_floorlog2 function in jpc_math.c in JasPer     before 1.900.17 allows remote attackers to cause a     denial of service (assertion failure) via unspecified     vectors.(CVE-2016-9398)

  - JasPer 2.0.14 allows denial of service via a reachable     assertion in the function jpc_firstone in     libjasper/jpc/jpc_math.c.(CVE-2018-9055)

  - An issue was discovered in JasPer 2.0.14. There is an     access violation in the function jas_image_readcmpt in     libjasper/base/jas_image.c, leading to a denial of     service.(CVE-2018-19539)

  - An issue was discovered in JasPer 2.0.14. There is a     heap-based buffer overflow of size 1 in the function     jas_icctxtdesc_input in     libjasper/base/jas_icc.c.(CVE-2018-19540)

  - An issue was discovered in JasPer 2.0.14. There is a     heap-based buffer over-read of size 8 in the function     jas_image_depalettize in     libjasper/base/jas_image.c.(CVE-2018-19541)

  - An issue was discovered in JasPer 2.0.14. There is a     NULL pointer dereference in the function jp2_decode in     libjasper/jp2/jp2_dec.c, leading to a denial of     service.(CVE-2018-19542)

  - There are lots of memory leaks in JasPer 2.0.12,     triggered in the function jas_strdup() in     base/jas_string.c, that will lead to a remote denial of     service attack.(CVE-2017-13748)

  - There is a reachable assertion abort in the function     calcstepsizes() in jpc/jpc_dec.c in JasPer 2.0.12 that     will lead to a remote denial of service     attack.(CVE-2017-13751)

  - Heap-based buffer overflow in the jpc_dec_decodepkt     function in jpc_t2dec.c in JasPer 2.0.10 allows remote     attackers to have unspecified impact via a crafted     image.(CVE-2017-6852)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201908-03 (JasPer: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in JasPer. Please review       the CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

Several security vulnerabilities were discovered in the JasPer JPEG-2000 library.

CVE-2015-5203

Gustavo Grieco discovered an integer overflow vulnerability that allows remote attackers to cause a denial of service or may have other unspecified impact via a crafted JPEG 2000 image file.

CVE-2015-5221

Josselin Feist found a double-free vulnerability that allows remote attackers to cause a denial of service (application crash) by processing a malformed image file.

CVE-2016-8690

Gustavo Grieco discovered a NULL pointer dereference vulnerability that can cause a denial of service via a crafted BMP image file. The update also includes the fixes for the related issues CVE-2016-8884 and CVE-2016-8885 which complete the patch for CVE-2016-8690.

CVE-2017-13748

It was discovered that jasper does not properly release memory used to store image tile data when image decoding fails which may lead to a denial of service.

CVE-2017-14132

A heap-based buffer over-read was found related to the jas_image_ishomosamp function that could be triggered via a crafted image file and may cause a denial of service (application crash) or have other unspecified impact.

For Debian 8 'Jessie', these problems have been fixed in version 1.900.1-debian1-2.4+deb8u4.

We recommend that you upgrade your jasper packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
146125	Fedora 32 : jasper (2021-0a6290f865)	Nessus	Fedora Local Security Checks	high
145784	Fedora 33 : jasper (2021-2b151590d9)	Nessus	Fedora Local Security Checks	high
139830	FreeBSD : jasper -- multiple vulnerabilities (6842ac7e-d250-11ea-b9b7-08002728f74c)	Nessus	FreeBSD Local Security Checks	high
132807	EulerOS Virtualization for ARM 64 3.0.5.0 : jasper (EulerOS-SA-2020-1053)	Nessus	Huawei Local Security Checks	high
132604	EulerOS 2.0 SP8 : jasper (EulerOS-SA-2020-1011)	Nessus	Huawei Local Security Checks	high
132133	EulerOS 2.0 SP3 : jasper (EulerOS-SA-2019-2598)	Nessus	Huawei Local Security Checks	high
131643	EulerOS 2.0 SP2 : jasper (EulerOS-SA-2019-2490)	Nessus	Huawei Local Security Checks	high
127561	GLSA-201908-03 : JasPer: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
119100	Debian DLA-1583-1 : jasper security update	Nessus	Debian Local Security Checks	high

CVE-2017-13748

HIGH

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins

high

high

high

high

high

high

high

high

high