SUSE SLED12 / SLES12 Security Update : jasper (SUSE-SU-2017:1916-1)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

This update for jasper fixes the following issues: Security issues
fixed :

- CVE-2016-9262: Multiple integer overflows in the
jas_realloc function in base/jas_malloc.c and mem_resize
function in base/jas_stream.c allow remote attackers to
cause a denial of service via a crafted image, which
triggers use after free vulnerabilities. (bsc#1009994)

- CVE-2016-9388: The ras_getcmap function in ras_dec.c
allows remote attackers to cause a denial of service
(assertion failure) via a crafted image file.
(bsc#1010975)

- CVE-2016-9389: The jpc_irct and jpc_iict functions in
jpc_mct.c allow remote attackers to cause a denial of
service (assertion failure). (bsc#1010968)

- CVE-2016-9390: The jas_seq2d_create function in
jas_seq.c allows remote attackers to cause a denial of
service (assertion failure) via a crafted image file.
(bsc#1010774)

- CVE-2016-9391: The jpc_bitstream_getbits function in
jpc_bs.c allows remote attackers to cause a denial of
service (assertion failure) via a very large integer.
(bsc#1010782)

- CVE-2017-1000050: The jp2_encode function in jp2_enc.c
allows remote attackers to cause a denial of service.
(bsc#1047958) CVEs already fixed with previous update :

- CVE-2016-9392: The calcstepsizes function in jpc_dec.c
allows remote attackers to cause a denial of service
(assertion failure) via a crafted file. (bsc#1010757)

- CVE-2016-9393: The jpc_pi_nextrpcl function in
jpc_t2cod.c allows remote attackers to cause a denial of
service (assertion failure) via a crafted file.
(bsc#1010766)

- CVE-2016-9394: The jas_seq2d_create function in
jas_seq.c allows remote attackers to cause a denial of
service (assertion failure) via a crafted file.
(bsc#1010756)

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/1009994
https://bugzilla.suse.com/1010756
https://bugzilla.suse.com/1010757
https://bugzilla.suse.com/1010766
https://bugzilla.suse.com/1010774
https://bugzilla.suse.com/1010782
https://bugzilla.suse.com/1010968
https://bugzilla.suse.com/1010975
https://bugzilla.suse.com/1047958
https://www.suse.com/security/cve/CVE-2016-9262.html
https://www.suse.com/security/cve/CVE-2016-9388.html
https://www.suse.com/security/cve/CVE-2016-9389.html
https://www.suse.com/security/cve/CVE-2016-9390.html
https://www.suse.com/security/cve/CVE-2016-9391.html
https://www.suse.com/security/cve/CVE-2016-9392.html
https://www.suse.com/security/cve/CVE-2016-9393.html
https://www.suse.com/security/cve/CVE-2016-9394.html
https://www.suse.com/security/cve/CVE-2017-1000050.html
http://www.nessus.org/u?061cf2f5

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t
patch SUSE-SLE-SDK-12-SP2-2017-1191=1

SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
patch SUSE-SLE-RPI-12-SP2-2017-1191=1

SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
SUSE-SLE-SERVER-12-SP2-2017-1191=1

SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
SUSE-SLE-DESKTOP-12-SP2-2017-1191=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 3.9
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true

Family: SuSE Local Security Checks

Nessus Plugin ID: 101891 ()

Bugtraq ID:

CVE ID: CVE-2016-9262
CVE-2016-9388
CVE-2016-9389
CVE-2016-9390
CVE-2016-9391
CVE-2016-9392
CVE-2016-9393
CVE-2016-9394
CVE-2017-1000050

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now