[SECURITY] [DLA 1583-1] jasper security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : jasper
Version : 1.900.1-debian1-2.4+deb8u4
CVE ID : CVE-2015-5203 CVE-2015-5221 CVE-2016-8690
CVE-2017-13748 CVE-2017-14132
Several security vulnerabilities were discovered in the JasPer
JPEG-2000 library.
CVE-2015-5203
Gustavo Grieco discovered an integer overflow vulnerability that
allows remote attackers to cause a denial of service or may have
other unspecified impact via a crafted JPEG 2000 image file.
CVE-2015-5221
Josselin Feist found a double-free vulnerability that allows remote
attackers to cause a denial-of-service (application crash) by
processing a malformed image file.
CVE-2016-8690
Gustavo Grieco discovered a NULL pointer dereference vulnerability
that can cause a denial-of-service via a crafted BMP image file. The
update also includes the fixes for the related issues CVE-2016-8884
and CVE-2016-8885 which complete the patch for CVE-2016-8690.
CVE-2017-13748
It was discovered that jasper does not properly release memory used
to store image tile data when image decoding fails which may lead to
a denial-of-service.
CVE-2017-14132
A heap-based buffer over-read was found related to the
jas_image_ishomosamp function that could be triggered via a crafted
image file and may cause a denial-of-service (application crash) or
have other unspecified impact.
For Debian 8 "Jessie", these problems have been fixed in version
1.900.1-debian1-2.4+deb8u4.
We recommend that you upgrade your jasper packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlv1aOJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRgiQ//ZXMWL7G80FV6OiSLEx4mwUCha3aAW0wpI1Zfne8yg+2vQ8lhc3uGEKsp
iS/i+2nJW4XCFwtyWXNVeeRfnpS+/7HRGLaVQn5bD6imvd+e3cqCqE9cHAY1hhTw
skLj1mHv4dRfaOrU3hkGbd1NQDSXMghZ5lq2RAWxbllXOhrm9s3ObfNtf8NNYEDW
SwMKqFV+UMFJ4va6PhGcNQt0OeZE/Rt3JQ9VOqEHrqhJth65ZVvUh5yAKcjKEcYE
luOwJY23SrClV7ga/90NokejFo+JvTQhUNiDFyOAQpPVB9yANqN/IByuVTxmyjWL
IkD5hghgXW0jlBcviQ8yRRo3MM8pfdMp6sJb5Jxyh90828CPXOpKhmWlujw6qXM3
Vlv4wQI/+GxTNHMMmdVEbOax6fmVBvX8jl6WrMYOeeJ3wgBxHqvOYrBsJ6iAV9t0
OX70Ru9BT9Iaei6OWzNPlWc0A8B8lKnYoAPLovlzN+WAcGkNR6NzMF6E5Ht6Gu+/
KxP409hOsIhsKciNlS4F1vhFeYOvgu87zvKl526QIR+JuEOErTuPrX+M5tkiUVdA
HJAbeisXJNFnzPgTZuntI7zczDvhxL/kxpcN31AIPSTBeJWojetZDOqm1S0orVW9
DDwRUTieNEH8/x9luNENh3HxNDNRNQ2qiTewn9+WAOtK9eDWMoI=
=alG5
-----END PGP SIGNATURE-----
Reply to: