ESB-2018.3632 - [Debian] jasper: Multiple vulnerabilities 2018-11-22

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3632
                    [DLA 1583-1] jasper security update
                             22 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           jasper
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Denial of Service -- Remote with User Interaction
                   Reduced Security  -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-14132 CVE-2017-13748 CVE-2016-8885
                   CVE-2016-8884 CVE-2016-8690 CVE-2015-5221
                   CVE-2015-5203  

Reference:         ESB-2018.1886
                   ESB-2017.1168

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/11/msg00023.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : jasper
Version        : 1.900.1-debian1-2.4+deb8u4
CVE ID         : CVE-2015-5203 CVE-2015-5221 CVE-2016-8690
                 CVE-2017-13748 CVE-2017-14132

Several security vulnerabilities were discovered in the JasPer
JPEG-2000 library.

CVE-2015-5203

    Gustavo Grieco discovered an integer overflow vulnerability that
    allows remote attackers to cause a denial of service or may have
    other unspecified impact via a crafted JPEG 2000 image file.

CVE-2015-5221

    Josselin Feist found a double-free vulnerability that allows remote
    attackers to cause a denial-of-service (application crash) by
    processing a malformed image file.

CVE-2016-8690

    Gustavo Grieco discovered a NULL pointer dereference vulnerability
    that can cause a denial-of-service via a crafted BMP image file. The
    update also includes the fixes for the related issues CVE-2016-8884
    and CVE-2016-8885 which complete the patch for CVE-2016-8690.

CVE-2017-13748

    It was discovered that jasper does not properly release memory used
    to store image tile data when image decoding fails which may lead to
    a denial-of-service.

CVE-2017-14132

    A heap-based buffer over-read was found related to the
    jas_image_ishomosamp function that could be triggered via a crafted
    image file and may cause a denial-of-service (application crash) or
    have other unspecified impact.

For Debian 8 "Jessie", these problems have been fixed in version
1.900.1-debian1-2.4+deb8u4.

We recommend that you upgrade your jasper packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlv1aOJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRgiQ//ZXMWL7G80FV6OiSLEx4mwUCha3aAW0wpI1Zfne8yg+2vQ8lhc3uGEKsp
iS/i+2nJW4XCFwtyWXNVeeRfnpS+/7HRGLaVQn5bD6imvd+e3cqCqE9cHAY1hhTw
skLj1mHv4dRfaOrU3hkGbd1NQDSXMghZ5lq2RAWxbllXOhrm9s3ObfNtf8NNYEDW
SwMKqFV+UMFJ4va6PhGcNQt0OeZE/Rt3JQ9VOqEHrqhJth65ZVvUh5yAKcjKEcYE
luOwJY23SrClV7ga/90NokejFo+JvTQhUNiDFyOAQpPVB9yANqN/IByuVTxmyjWL
IkD5hghgXW0jlBcviQ8yRRo3MM8pfdMp6sJb5Jxyh90828CPXOpKhmWlujw6qXM3
Vlv4wQI/+GxTNHMMmdVEbOax6fmVBvX8jl6WrMYOeeJ3wgBxHqvOYrBsJ6iAV9t0
OX70Ru9BT9Iaei6OWzNPlWc0A8B8lKnYoAPLovlzN+WAcGkNR6NzMF6E5Ht6Gu+/
KxP409hOsIhsKciNlS4F1vhFeYOvgu87zvKl526QIR+JuEOErTuPrX+M5tkiUVdA
HJAbeisXJNFnzPgTZuntI7zczDvhxL/kxpcN31AIPSTBeJWojetZDOqm1S0orVW9
DDwRUTieNEH8/x9luNENh3HxNDNRNQ2qiTewn9+WAOtK9eDWMoI=
=alG5
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW/X4TGaOgq3Tt24GAQjNMQ//ZWqTL3z/wwT1zdxIYD1LSfar+ThJMFIi
v+Bn7PWSnMNiFYw6ontwYd7Me6g42mPiI8zqE6RLQnNYAeE33QcZOuIEQJA/Sroa
hjn0aBooop/S9KYnDj5X48Tw2/F/2TaBLuP2xD9yYgBy2cYwEJklQaEwbokWamJJ
KtxIMdtgUy60CQTPA7cEBavx7TzQdk2BUiwj19Z1x9yrYerRwteLSNy4FKHSd8qQ
1Ok45kYPFOPGUZnvm8ZINm6AkSwoJQpRQ5fAlKcxijq1PrNlVNVK4GhggVjGAGeh
c3EeufITIwE4J1wbpBumg3M/B2M4tcvhODIJ/IqW/HYvwJ03AuFUoVpq06p+9QnL
TxbKhFxKSgf9ER4hzhpMd2FDLkAkhuLABk8Pv5TTM0juOQqIrJtoSzwpHtKDg2yD
3gLUED1SQNTv6iLX6DDbAls3Hr0LsOcJhRjG8OXr2UOccFvjiRIFO91tNdcQfAHQ
Sjs567kC2LE9IUWbcY42pW5VmZjGk8tnD1nyo06AEc11OhyItISDoQfSuUGS4ja4
RP2kLeezId4ywTvCu47rOOVq0gjg/5cWVQltrSMVOTebU8agiQwI90SQiUzsnRkk
z7TQO+2kMbVg5fh/ybGkLtD+LSE6pUE+Vwj9ABFA3MVByVKjbI7TJzHVgeUAA3IE
uKm0WfT4F08=
=VevA
-----END PGP SIGNATURE-----

« Back to bulletins