Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-739-1 jasper

Debian Security Advisory

DLA-739-1 jasper -- LTS security update

Date Reported:

10 Dec 2016

Affected Packages:

jasper

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-8654, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693, CVE-2016-8882, CVE-2016-8883, CVE-2016-8887, CVE-2016-9560.

More information:

• CVE-2016-8691

  FPE on unknown address ... jpc_dec_process_siz ... jpc_dec.c

• CVE-2016-8692

  FPE on unknown address ... jpc_dec_process_siz ... jpc_dec.c

• CVE-2016-8693

  attempting double-free ... mem_close ... jas_stream.c

• CVE-2016-8882

  segfault / null pointer access in jpc_pi_destroy

• CVE-2016-9560

  stack-based buffer overflow in jpc_tsfb_getbands2 (jpc_tsfb.c)

• CVE-2016-8887 part 1 + 2

  NULL pointer dereference in jp2_colr_destroy (jp2_cod.c)

• CVE-2016-8654

  Heap-based buffer overflow in QMFB code in JPC codec

• CVE-2016-8883

  assert in jpc_dec_tiledecode()

• TEMP-CVE

  heap-based buffer overflow in jpc_dec_tiledecode (jpc_dec.c)

For Debian 7 Wheezy, these problems have been fixed in version 1.900.1-13+deb7u5.

We recommend that you upgrade your jasper packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS