[SECURITY] [DLA 920-1] jasper security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 920-1] jasper security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Wed, 26 Apr 2017 22:10:52 +0200 (CEST)
Message-id: <[🔎] alpine.DEB.2.02.1704262209210.3291@jupiter.server.alteholz.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : jasper
Version        : 1.900.1-13+deb7u6
CVE ID         : CVE-2016-9591 CVE-2016-10251


CVE-2016-9591
     Use-after-free on heap in jas_matrix_destroy
     The vulnerability exists in code responsible for re-encoding the
     decoded input image file to a JP2 image. The vulnerability is
     caused by not setting related pointers to be null after the
     pointers are freed (i.e. missing Setting-Pointer-Null operations
     after free). The vulnerability can further cause double-free.

CVE-2016-10251
     Integer overflow in the jpc_pi_nextcprl function in jpc_t2cod.c in
     JasPer before 1.900.20 allows remote attackers to have unspecified
     impact via a crafted file, which triggers use of an uninitialized
     value.

Additional
     fix for TEMP-CVE from last upload to avoid hassle with SIZE_MAX


For Debian 7 "Wheezy", these problems have been fixed in version
1.900.1-13+deb7u6.

We recommend that you upgrade your jasper packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJZAP7MXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH2WUQAKluZWv07LT3xjBXmWXddE/0
HYM44YHNneIApf6P7hZNLpgM2XTzd7aiHe1HxEcngZ/qYThvA1mnFLqpRZhf79nl
MXpgx1NctR0Fztt9i2i26TiUSfTMf6QS3EoF8lUL9hYLWTNGYsfL84Y9vIDNyKsY
0vzIFwBVDp/GF+b3pjFplivlsVdFUFWKRWLZfLhCEXNuICOttRgihx0JZxJYD8g1
eQtoQajFcV4g3IHkf/wnK3pcFm2veSVBe4SGNvJy550zz1WR5k71y0+RcUjtnPIi
3/V/3+8unOwBAI/enqviKUfF9Tbh0njQD8in5K73CWdrZG5Gy7iJA5owgk+YEn9r
jv6bWKvk6Az+DjefZFCNSTcMye3FVLt/wXSaYoIfYqJPl2MP2dZw9INCh57aXhtb
OmjgvHTq/kOgy1KNdsroIawxQZXc6CVkjjPiUdQ3kKxxraZm8CtC7iOohu7zm3Am
GqXHjDzgv9fVWcrImE/5UJy6is3L9yAv3QQUG8omy5PeV8NAtuxJgAWcB4SCZs7Z
Y3CjAzbY1oztI+hwjCcNyZ+bQ9ljaBsJIq9ekNPlSOn6tIXl32fpY4h6IUkiD0or
vg8YGpD9uqfEZ/Jxn1+WPR8/2LN/j4aHAH2GmyahlkUEMcCPxbtVRDIHhv5Bcg8P
sHlnbZ1LSmEwqmDkb7sh
=Tj1y
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 919-1] weechat security update
Next by Date: [SECURITY] [DLA 921-1] slurm-llnl security update
Previous by thread: [SECURITY] [DLA 919-1] weechat security update
Next by thread: [SECURITY] [DLA 921-1] slurm-llnl security update
Index(es):
- Date
- Thread