copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.2296 - [Win][UNIX/Linux][Debian] jasper: Execute arbitrary code/commands - Remote with user interaction

Date: 05 December 2014
References: ESB-2014.2456  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.2296
                          jasper security update
                              5 December 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           jasper
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-9029  

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-3089

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running jasper check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3089-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
December 04, 2014                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : jasper
CVE ID         : CVE-2014-9029
Debian Bug     : 772036

Josh Duart of the Google Security Team discovered heap-based buffer
overflow flaws in JasPer, a library for manipulating JPEG-2000 files,
which could lead to denial of service (application crash) or the
execution of arbitrary code.

For the stable distribution (wheezy), these problems have been fixed
in version 1.900.1-13+deb7u1.

For the upcoming stable distribution (jessie) and the unstable
distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your jasper packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUgHrJAAoJEAVMuPMTQ89EFekP/21TDzhAR4T6eKGUQ6MMigUu
XqHkqsFkaP+6oKyVWjgzH38EWANEDDXoi0/T0KORY6uzaJwBQ+DdjHWVHokyN8Iy
ynJQ60foV0+h5ZabpUbJc0uLnF8sc9V4AxAeQ+Z/C6lvIdF/kwXMCMFdd+gF3lI6
eZzE0pgBA5I9vJO0YREVXYtPVZ86R8Igy+YtKTBnXjPe2W4Mkc3pb9Dr2ha0eATH
ZwNS9R2s6ifpDPHr5xtxAp3j5FDLuCGfswoGFDisW2sWXuRAbG1QKnRXH7uy4MyK
DIIyuS+0LMGhym8+DB1KGMMo4MFhVsydSG4vx5zLkxZYahXDp/wMKQGT0lft5q8y
4DN2FYqwgLMDgGsL8AcFIJ40G6iXc4Uug6B0nyRHtKpy8nnnKhxIjnSVe6Q4PFra
Bph4CiWsfu9kJUYFk4ukD/kAnILc+RfPwfMGA9t0XKz3WVixfv+vhWMRG90cmmNA
14rsVkkts52RyhAiuhgyxS5UuqE3srNyx64NLMKvIZJuT9Id/V5+ciovZEFsOD7k
M05WadrNff5YQTkLjZKNSwkZ2YwaHP7uwJ2euMFBMkOtz8s2GBQnxLWb0A7IYNGC
1pNEXC7a9FHutmFFdYMCc7OP/oUiGZb4qe+rvH3GyLnegTDQZ0MN7oYX3ze5IUYc
LDS8UAI8LMV2/X2knxLJ
=qpMK
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVID8BRLndAQH1ShLAQJiAQ//bbHgdCvga6y2QwH9jc9jF6N0XQoeny5g
QIUxVHOZ2J9hF59OGA8ZHTK6FCbF2STux/kV78Wsl8nAMpYDsbuoNtzNETjOYWpm
96W3bhh6EK50b9oOsAOM0JMpsz+XwrrcbhM9w0H7XIW8zY65FIbeRCXszlkmCslr
Mm3q2WBtXURIqp0na4hqFSZGnaiKyre1NfbF7QrM8wM5NXa5QusfAl6oZRS8DHho
ow7CRq12vqTGl4D7HMnfRpy9DunesA8grCfrnbRbGJgjYRz3FpL8wyj+b72LMZ3C
9j3YN8aclI3AUmdM+sonWWN5MEtGrRZ/v2+JkPuKLDN8584ppBzIU9W86NV8BSqx
aKzPzyCzHUEPpCcINYZWLSjR1lHG/bVVvwJ0Ox/jcz1uSqEfkrEEjMM0Mq8whJyD
LfoVxtPX/ccPrKgDhfYbAraaOSvFpq+jfmSKf+070MadtAkw062oTP6IO9IZ/pmj
tvm/GJLjPv5UwC2xm110i00xD3YIusfhXYRygFHNcveoKe6W977WV6h50F9FAGLs
eATDa6z5zkkx5QB57hT29uA0360LkMngP9OXQHlOs79iMazcer2P7bNrBOQn45TE
tyZ/o+fOf8s0Ho0ujBotYVsic/AlUJJINXBBtT6wNI57iUyTvCQrynOaNw0SXhni
YSwZgFPSvnk=
=U3fv
-----END PGP SIGNATURE-----