OracleVM 3.3 / 3.4 : jasper (OVMSA-2017-0102)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing a security update.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- Bump release

- Multiple security fixes (fixed by thoger): CVE-2015-5203
CVE-2015-5221 CVE-2016-1577 CVE-2016-1867
(CVE-2016-2089) CVE-2016-2116 CVE-2016-8654
CVE-2016-8690 CVE-2016-8691 (CVE-2016-8692)
CVE-2016-8693 CVE-2016-8883 CVE-2016-8884 CVE-2016-8885
(CVE-2016-9262) CVE-2016-9387 CVE-2016-9388
CVE-2016-9389 CVE-2016-9390 (CVE-2016-9391)
CVE-2016-9392 CVE-2016-9393 CVE-2016-9394 CVE-2016-9560
(CVE-2016-9583) CVE-2016-9591 CVE-2016-9600
CVE-2016-10248 CVE-2016-10249 (CVE-2016-10251)

- Fix implicit declaration warning caused by security
fixes above

- CVE-2014-8157 - dec->numtiles off-by-one check in
jpc_dec_process_sot (#1183672)

- CVE-2014-8158 - unrestricted stack memory use in
jpc_qmfb.c (#1183680)

- CVE-2014-8137 - double-free in in jas_iccattrval_destroy
(#1173567)

- CVE-2014-8138 - heap overflow in jp2_decode (#1173567)

- CVE-2014-9029 - incorrect component number check in COC,
RGN and QCC marker segment decoders (#1171209)

See also :

https://oss.oracle.com/pipermail/oraclevm-errata/2017-May/000695.html
https://oss.oracle.com/pipermail/oraclevm-errata/2017-May/000696.html

Solution :

Update the affected jasper-libs package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.8
(CVSS2#E:POC/RL:U/RC:ND)
Public Exploit Available : true