ESB-2019.0043 - [Win][Linux][Debian][OSX] jasper: Multiple vulnerabilities 2019-01-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0043
                          jasper security update
                              3 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           jasper
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Linux variants
                   Windows
                   OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-20622 CVE-2018-20584 CVE-2018-20570
                   CVE-2018-19542 CVE-2018-19541 CVE-2018-19540
                   CVE-2018-19539 CVE-2018-19139 CVE-2018-18873

Original Bulletin: 
   https://security-tracker.debian.org/tracker/DLA-1628-1

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running jasper check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : jasper
Version        : 1.900.1-debian1-2.4+deb8u5
CVE ID         : CVE-2018-18873 CVE-2018-19139 CVE-2018-19539
                 CVE-2018-19540 CVE-2018-19541 CVE-2018-19542
                 CVE-2018-20570 CVE-2018-20584 CVE-2018-20622

Multiple issues were found in the JasPer JPEG-2000 library that could
lead to a denial-of-service (application crash), memory leaks and
potentially the execution of arbitrary code if a malformed image file
is processed.

For Debian 8 "Jessie", these problems have been fixed in version
1.900.1-debian1-2.4+deb8u5.

We recommend that you upgrade your jasper packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlwtQcdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQHaw//XscscTqY1mWZYpCaZUaiUS0ue09aSAXyBqeQP+Sp9zi6srfu7Gx/Enxk
FCdafUlNC2H49v8eJfnnSpTaQl2y0LuDKqONM6WufERV53RI30EGeMT76qAtL26z
MprNL72RN1dG3AFwnujmKmutxjQUd/v5EWCCqgqibtX+PWF1GcJ8Kfh0j2C9rkN2
MNe+2wy7a9Z7oOBklBnb8uJ4TH67z/4P0gV0y/pAgQ677siGn7ZIAQ2CmBtwbd/4
Sr1ReDhQeVrVznEsnqYEsEQ57IyDFuMUScTkLcXloqOriF2ipjzDG+8FL3MKmUoI
hnf8vGwTu5CoLC5PtxWH+0dKXStHGTW7MatGNjrqYuX+AMoSZ9Ab6xV4fqnMn86x
aSgeM2rpUT8Umh8BMcXX5/n1OmV5gOcMo1x+9STvUZPMqgSO3i8wj37nYlUTF+9D
J9dustesQInXXfDVXrkgzyURPuo9HPwKalVxs1ezhL0swIe2ZtCyY0zopUPnLPzx
TDoKomAg+CDpdtJfTbIoGe9+9FETU/eTYr1FxewBbaQga6OiNb3jKcjuNC/864wm
/+NtC7fOktZZiXBcmNLyEAlr0ml3ZRtdgQxs3HxWmOM379p6puSOnx6JJqfVRUpB
LXeE3vltt95+aubx/sn+7p5Ja1vBhxE7PSYMb62v8tCe7ZhpjI8=
=Fw8o
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXC1PK2aOgq3Tt24GAQj9QBAA2QEDy2gkK2JO79SIt13Yu38fdSsNbymo
ybZWcNMy5uPgglrFj3rgjeeV8f8bbyHsV7jyYXot5/IfhftMM3UnmOsSyUAEbnwA
djOVjcJDjYpjbCyR5vQBJIzsJnOKrCl0tfshtIbtqesAAaq/bw15tpDQJw4vO3mZ
biioSZTELmxguh6f/ayuok2bRBoM9TMvCzv0zfqjLq0btsHEw4Np5JUKsmnaeAlM
N9jqdyRpRaabwGiC9yZguKwk22RSbtXW/hcmmqEZuh0fAcdQx2fwNPgt9EXF7OrR
kCStirssDybm1/sAYT3vrpzQZ72C99X9ivBf2rmta0ZYqUDy30p3g6yjrXuvlimO
i4f9d8MbzoN2JIFqYUcBVkPS7aMy2CGKZ23yCKvksfucdVw+P1k5DEJBzh4tw5jI
Jz08L0Ai7CHSRq38pZtq10Ft812KzIU9s9sjgYUOetnr3t696FXqw+XTxfsdw4A0
EAYNRXy0ytQRmmpzlAap9ZcoJymKQSMFVRiV49PfFS8S4L/yJ0px2acYnR1HroR6
PANcvhhyFxuHDyOilFsbJ7XoNMogrBJRL8/KeIQzfRsRuTwAIr3HtXcbY7OWduGd
2doAsSmaqneuftnjpnknENSkLvxrggNkqk5X/nGixSB19FSmu+WkWmOMxUVHSvLW
uIKgmH+ESVA=
=6WaY
-----END PGP SIGNATURE-----

« Back to bulletins