ESB-2019.0043.2 - UPDATE [Win][Linux][Debian][OSX] jasper: Multiple vulnerabilities - 2019-04-15


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.0043.2
                          jasper security update
                               15 April 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           jasper
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Linux variants
                   Windows
                   OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-20622 CVE-2018-20584 CVE-2018-20570
                   CVE-2018-19542 CVE-2018-19541 CVE-2018-19540
                   CVE-2018-19539 CVE-2018-19139 CVE-2018-18873

Original Bulletin: 
   https://security-tracker.debian.org/tracker/DLA-1628-1
   https://security-tracker.debian.org/tracker/DLA-1628-2

Comment: This bulletin contains two (2) Debian security advisories.
         
         This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running jasper check for an updated version of the software for 
         their operating system.

Revision History:  April   15 2019: Vendor released a regression update
                   January  3 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : jasper
Version        : 1.900.1-debian1-2.4+deb8u5
CVE ID         : CVE-2018-18873 CVE-2018-19139 CVE-2018-19539
                 CVE-2018-19540 CVE-2018-19541 CVE-2018-19542
                 CVE-2018-20570 CVE-2018-20584 CVE-2018-20622

Multiple issues were found in the JasPer JPEG-2000 library that could
lead to a denial-of-service (application crash), memory leaks and
potentially the execution of arbitrary code if a malformed image file
is processed.

For Debian 8 "Jessie", these problems have been fixed in version
1.900.1-debian1-2.4+deb8u5.

We recommend that you upgrade your jasper packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlwtQcdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQHaw//XscscTqY1mWZYpCaZUaiUS0ue09aSAXyBqeQP+Sp9zi6srfu7Gx/Enxk
FCdafUlNC2H49v8eJfnnSpTaQl2y0LuDKqONM6WufERV53RI30EGeMT76qAtL26z
MprNL72RN1dG3AFwnujmKmutxjQUd/v5EWCCqgqibtX+PWF1GcJ8Kfh0j2C9rkN2
MNe+2wy7a9Z7oOBklBnb8uJ4TH67z/4P0gV0y/pAgQ677siGn7ZIAQ2CmBtwbd/4
Sr1ReDhQeVrVznEsnqYEsEQ57IyDFuMUScTkLcXloqOriF2ipjzDG+8FL3MKmUoI
hnf8vGwTu5CoLC5PtxWH+0dKXStHGTW7MatGNjrqYuX+AMoSZ9Ab6xV4fqnMn86x
aSgeM2rpUT8Umh8BMcXX5/n1OmV5gOcMo1x+9STvUZPMqgSO3i8wj37nYlUTF+9D
J9dustesQInXXfDVXrkgzyURPuo9HPwKalVxs1ezhL0swIe2ZtCyY0zopUPnLPzx
TDoKomAg+CDpdtJfTbIoGe9+9FETU/eTYr1FxewBbaQga6OiNb3jKcjuNC/864wm
/+NtC7fOktZZiXBcmNLyEAlr0ml3ZRtdgQxs3HxWmOM379p6puSOnx6JJqfVRUpB
LXeE3vltt95+aubx/sn+7p5Ja1vBhxE7PSYMb62v8tCe7ZhpjI8=
=Fw8o
- -----END PGP SIGNATURE-----


- --------------------------------------------------------------------------------


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : jasper
Version        : 1.900.1-debian1-2.4+deb8u6

The update of jasper issued as DLA-1628-1 caused a regression due to
the fix for CVE-2018-19542, a NULL pointer dereference in the function
jp2_decode, which could lead to a denial-of-service. In some cases not
only invalid jp2 files but also valid jp2 files were rejected.

For Debian 8 "Jessie", this problem has been fixed in version
1.900.1-debian1-2.4+deb8u6.

We recommend that you upgrade your jasper packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlyyVYRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTSSg/8DeFZqhC5gjHoP/7eC20HBa0HUqhAVFvSnaq7Wb3auNioTf3YS7TVufod
1UMFZ+ykS2BMXLI/HEh7YjD/dzb2t3Ji6ONHRcoYjw5Gpg6INnT19jI8VoCyZRGr
Mys+GorCntdDrC6ZV/sfwtKnPA+ALl08r32ADbQ49N/CspRaqtWQPFAJ9KYbzXo1
oUFKo4S3eOlcM3CB+AA4AgXIeO3nWxcR4i6qFXvRO8g+z68ZCcSKwm8iKc1MuRaD
SCZPEn1jlbNOvAmR2DDW7QUoT0GjHhME1kAoaWo9pJ/o2hrB5KkkHhdCXwsPFQ8w
p5LOr0YkYx7peVsyu6Aed2Y/uzO7SH3XJf6dP272G0HbBaa4ei7ImtFHMIBrvoVX
SVB2FxNZO6jrg4M7DU64zg1+mg4ptf/cbVw3QCZe14wuNjuTYN5oMAVYiT5+b8/X
0MtZPQJyNxWd2lq+eXGSAx2n7iYGj1TW6FERjHwiUkNRD1ehtd2fKaCLlWAJ0eOA
z73W5uNjP5ftFDiL9V/AUfpg2tRHJ11uS4Z5UIEkVETK5WYSbfTpmr0oFMY2WLUA
PBBH1R8KTNozvomMe+c78BbDxMGoEYJlHMG3NJh4hSFgwzE2vGU+80Y/mSAK795/
ZIPlKyXiPTV+e1m7qacMYK+/5xg/KMdj8E2GRgfsrynSXRWOEHI=
=Ozle
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXLPFtWaOgq3Tt24GAQjv7xAAoGw6RnEtoaO1Fej/tv+N0ZUxDZuenNSa
KJ7kTMRNYNEj5rwIs+y3RLEzU55V3Q6IsN1sAtNQNqI7Ufg4rTwfSeHrsif0LhmJ
92Nw1y5rmNQnN4dIpvFp9OXBmUCK12gwga+sHT97yoBW3uL9TWdaIDt/VKlshOfR
yC77utlov9dOz+dRWrkHhgRsgI62b6HmAf7y1gUWi62lyKNwigaDskQVydkss5cf
b0VHuKy8Kfc8jXIcdZCEqdydS/dyxYwO9vF6Aeu5uM2LeqClsmOkHEcBeKz43IjD
RF3ZhbR0QmwTeiBTZ/IIABjCQZbweYbIz3t8oDz3BviGlmqU+8c/PiU3GbcnrBML
x4lC0NzPK+e6Jcazp21cgrNeDSopwfacRhoc7xjGaShL2d/UOiCHFJ24rgxDKZ2T
saD6Jc4jDSsOz2hgrVetAUXiWSSzAoX2RKHHp4zn0JWq52mtUxkGXbGTL8qnMtWO
bwNlno1S0tQj4yVW/p9tvAX1ATVoXzBZ7ULH/KlMru6ZVRaJgfvUEg+qhyAqYqVk
GSFVQckIiCr5oNmlh+Io6aZrspMLk32Qak1zAHj7baZER0bRaJosl4LLeumBHDec
qonup8ZAcT0aGhj1sur6Jtg1tF5wTFRzGOn8zFzB8HYxXxLB4byvNTa99OYt0kN8
fZtUZxheyd4=
=h+C+
-----END PGP SIGNATURE-----