[SECURITY] [DLA 1583-1] jasper security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1583-1] jasper security update
From: Markus Koschany <apo@debian.org>
Date: Wed, 21 Nov 2018 15:17:07 +0100
Message-id: <[🔎] 1f907a43-bbfc-39a7-61a5-aefb4d853c0d@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : jasper
Version        : 1.900.1-debian1-2.4+deb8u4
CVE ID         : CVE-2015-5203 CVE-2015-5221 CVE-2016-8690
                 CVE-2017-13748 CVE-2017-14132

Several security vulnerabilities were discovered in the JasPer
JPEG-2000 library.

CVE-2015-5203

    Gustavo Grieco discovered an integer overflow vulnerability that
    allows remote attackers to cause a denial of service or may have
    other unspecified impact via a crafted JPEG 2000 image file.

CVE-2015-5221

    Josselin Feist found a double-free vulnerability that allows remote
    attackers to cause a denial-of-service (application crash) by
    processing a malformed image file.

CVE-2016-8690

    Gustavo Grieco discovered a NULL pointer dereference vulnerability
    that can cause a denial-of-service via a crafted BMP image file. The
    update also includes the fixes for the related issues CVE-2016-8884
    and CVE-2016-8885 which complete the patch for CVE-2016-8690.

CVE-2017-13748

    It was discovered that jasper does not properly release memory used
    to store image tile data when image decoding fails which may lead to
    a denial-of-service.

CVE-2017-14132

    A heap-based buffer over-read was found related to the
    jas_image_ishomosamp function that could be triggered via a crafted
    image file and may cause a denial-of-service (application crash) or
    have other unspecified impact.

For Debian 8 "Jessie", these problems have been fixed in version
1.900.1-debian1-2.4+deb8u4.

We recommend that you upgrade your jasper packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlv1aOJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRgiQ//ZXMWL7G80FV6OiSLEx4mwUCha3aAW0wpI1Zfne8yg+2vQ8lhc3uGEKsp
iS/i+2nJW4XCFwtyWXNVeeRfnpS+/7HRGLaVQn5bD6imvd+e3cqCqE9cHAY1hhTw
skLj1mHv4dRfaOrU3hkGbd1NQDSXMghZ5lq2RAWxbllXOhrm9s3ObfNtf8NNYEDW
SwMKqFV+UMFJ4va6PhGcNQt0OeZE/Rt3JQ9VOqEHrqhJth65ZVvUh5yAKcjKEcYE
luOwJY23SrClV7ga/90NokejFo+JvTQhUNiDFyOAQpPVB9yANqN/IByuVTxmyjWL
IkD5hghgXW0jlBcviQ8yRRo3MM8pfdMp6sJb5Jxyh90828CPXOpKhmWlujw6qXM3
Vlv4wQI/+GxTNHMMmdVEbOax6fmVBvX8jl6WrMYOeeJ3wgBxHqvOYrBsJ6iAV9t0
OX70Ru9BT9Iaei6OWzNPlWc0A8B8lKnYoAPLovlzN+WAcGkNR6NzMF6E5Ht6Gu+/
KxP409hOsIhsKciNlS4F1vhFeYOvgu87zvKl526QIR+JuEOErTuPrX+M5tkiUVdA
HJAbeisXJNFnzPgTZuntI7zczDvhxL/kxpcN31AIPSTBeJWojetZDOqm1S0orVW9
DDwRUTieNEH8/x9luNENh3HxNDNRNQ2qiTewn9+WAOtK9eDWMoI=
=alG5
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1585-1] ruby-rack security update
Next by Date: [SECURITY] [DLA 1586-1] openssl security update
Previous by thread: [SECURITY] [DLA 1585-1] ruby-rack security update
Next by thread: [SECURITY] [DLA 1586-1] openssl security update
Index(es):
- Date
- Thread