Debian Security Advisory

DLA-739-1 jasper -- LTS security update

Date Reported:
10 Dec 2016
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2016-8654, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693, CVE-2016-8882, CVE-2016-8883, CVE-2016-8887, CVE-2016-9560.
More information:
  • CVE-2016-8691

    FPE on unknown address ... jpc_dec_process_siz ... jpc_dec.c

  • CVE-2016-8692

    FPE on unknown address ... jpc_dec_process_siz ... jpc_dec.c

  • CVE-2016-8693

    attempting double-free ... mem_close ... jas_stream.c

  • CVE-2016-8882

    segfault / null pointer access in jpc_pi_destroy

  • CVE-2016-9560

    stack-based buffer overflow in jpc_tsfb_getbands2 (jpc_tsfb.c)

  • CVE-2016-8887 part 1 + 2

    NULL pointer dereference in jp2_colr_destroy (jp2_cod.c)

  • CVE-2016-8654

    Heap-based buffer overflow in QMFB code in JPC codec

  • CVE-2016-8883

    assert in jpc_dec_tiledecode()


    heap-based buffer overflow in jpc_dec_tiledecode (jpc_dec.c)

For Debian 7 Wheezy, these problems have been fixed in version 1.900.1-13+deb7u5.

We recommend that you upgrade your jasper packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: