Security update for jasper SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1960-1 Final 1 1 2017-07-25T19:53:02Z current 2017-07-25T19:53:02Z 2017-07-25T19:53:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for jasper This update for jasper fixes the following issues: Security issues fixed: - CVE-2016-9262: Multiple integer overflows in the jas_realloc function in base/jas_malloc.c and mem_resize function in base/jas_stream.c allow remote attackers to cause a denial of service via a crafted image, which triggers use after free vulnerabilities. (bsc#1009994) - CVE-2016-9388: The ras_getcmap function in ras_dec.c allows remote attackers to cause a denial of service (assertion failure) via a crafted image file. (bsc#1010975) - CVE-2016-9389: The jpc_irct and jpc_iict functions in jpc_mct.c allow remote attackers to cause a denial of service (assertion failure). (bsc#1010968) - CVE-2016-9390: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a denial of service (assertion failure) via a crafted image file. (bsc#1010774) - CVE-2016-9391: The jpc_bitstream_getbits function in jpc_bs.c allows remote attackers to cause a denial of service (assertion failure) via a very large integer. (bsc#1010782) - CVE-2017-1000050: The jp2_encode function in jp2_enc.c allows remote attackers to cause a denial of service. (bsc#1047958) CVEs already fixed with previous update: - CVE-2016-9392: The calcstepsizes function in jpc_dec.c allows remote attackers to cause a denial of service (assertion failure) via a crafted file. (bsc#1010757) - CVE-2016-9393: The jpc_pi_nextrpcl function in jpc_t2cod.c allows remote attackers to cause a denial of service (assertion failure) via a crafted file. (bsc#1010766) - CVE-2016-9394: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a denial of service (assertion failure) via a crafted file. (bsc#1010756) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-07/msg00092.html E-Mail link for openSUSE-SU-2017:1960-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 jasper-1.900.14-179.1 libjasper-devel-1.900.14-179.1 libjasper1-1.900.14-179.1 libjasper1-32bit-1.900.14-179.1 jasper-1.900.14-179.1 as a component of openSUSE Leap 42.2 libjasper-devel-1.900.14-179.1 as a component of openSUSE Leap 42.2 libjasper1-1.900.14-179.1 as a component of openSUSE Leap 42.2 libjasper1-32bit-1.900.14-179.1 as a component of openSUSE Leap 42.2 jasper-1.900.14-179.1 as a component of openSUSE Leap 42.3 libjasper-devel-1.900.14-179.1 as a component of openSUSE Leap 42.3 libjasper1-1.900.14-179.1 as a component of openSUSE Leap 42.3 libjasper1-32bit-1.900.14-179.1 as a component of openSUSE Leap 42.3 Multiple integer overflows in the (1) jas_realloc function in base/jas_malloc.c and (2) mem_resize function in base/jas_stream.c in JasPer before 1.900.22 allow remote attackers to cause a denial of service via a crafted image, which triggers use after free vulnerabilities. CVE-2016-9262 openSUSE Leap 42.2:jasper-1.900.14-179.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-179.1 openSUSE Leap 42.3:jasper-1.900.14-179.1 openSUSE Leap 42.3:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-32bit-1.900.14-179.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-07/msg00092.html https://www.suse.com/security/cve/CVE-2016-9262.html CVE-2016-9262 https://bugzilla.suse.com/1009994 SUSE Bug 1009994 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The ras_getcmap function in ras_dec.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a crafted image file. CVE-2016-9388 openSUSE Leap 42.2:jasper-1.900.14-179.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-179.1 openSUSE Leap 42.3:jasper-1.900.14-179.1 openSUSE Leap 42.3:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-32bit-1.900.14-179.1 moderate 1.5 AV:L/AC:M/Au:S/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-07/msg00092.html https://www.suse.com/security/cve/CVE-2016-9388.html CVE-2016-9388 https://bugzilla.suse.com/1010975 SUSE Bug 1010975 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The jpc_irct and jpc_iict functions in jpc_mct.c in JasPer before 1.900.14 allow remote attackers to cause a denial of service (assertion failure). CVE-2016-9389 openSUSE Leap 42.2:jasper-1.900.14-179.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-179.1 openSUSE Leap 42.3:jasper-1.900.14-179.1 openSUSE Leap 42.3:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-32bit-1.900.14-179.1 moderate 1.5 AV:L/AC:M/Au:S/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-07/msg00092.html https://www.suse.com/security/cve/CVE-2016-9389.html CVE-2016-9389 https://bugzilla.suse.com/1010968 SUSE Bug 1010968 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a crafted image file. CVE-2016-9390 openSUSE Leap 42.2:jasper-1.900.14-179.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-179.1 openSUSE Leap 42.3:jasper-1.900.14-179.1 openSUSE Leap 42.3:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-32bit-1.900.14-179.1 moderate 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-07/msg00092.html https://www.suse.com/security/cve/CVE-2016-9390.html CVE-2016-9390 https://bugzilla.suse.com/1010774 SUSE Bug 1010774 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The jpc_bitstream_getbits function in jpc_bs.c in JasPer before 2.0.10 allows remote attackers to cause a denial of service (assertion failure) via a very large integer. CVE-2016-9391 openSUSE Leap 42.2:jasper-1.900.14-179.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-179.1 openSUSE Leap 42.3:jasper-1.900.14-179.1 openSUSE Leap 42.3:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-32bit-1.900.14-179.1 moderate 1.5 AV:L/AC:M/Au:S/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-07/msg00092.html https://www.suse.com/security/cve/CVE-2016-9391.html CVE-2016-9391 https://bugzilla.suse.com/1010782 SUSE Bug 1010782 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The calcstepsizes function in jpc_dec.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a crafted file. CVE-2016-9392 openSUSE Leap 42.2:jasper-1.900.14-179.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-179.1 openSUSE Leap 42.3:jasper-1.900.14-179.1 openSUSE Leap 42.3:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-32bit-1.900.14-179.1 moderate 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-07/msg00092.html https://www.suse.com/security/cve/CVE-2016-9392.html CVE-2016-9392 https://bugzilla.suse.com/1010757 SUSE Bug 1010757 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The jpc_pi_nextrpcl function in jpc_t2cod.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a crafted file. CVE-2016-9393 openSUSE Leap 42.2:jasper-1.900.14-179.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-179.1 openSUSE Leap 42.3:jasper-1.900.14-179.1 openSUSE Leap 42.3:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-32bit-1.900.14-179.1 moderate 1.5 AV:L/AC:M/Au:S/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-07/msg00092.html https://www.suse.com/security/cve/CVE-2016-9393.html CVE-2016-9393 https://bugzilla.suse.com/1010757 SUSE Bug 1010757 https://bugzilla.suse.com/1010766 SUSE Bug 1010766 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a crafted file. CVE-2016-9394 openSUSE Leap 42.2:jasper-1.900.14-179.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-179.1 openSUSE Leap 42.3:jasper-1.900.14-179.1 openSUSE Leap 42.3:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-32bit-1.900.14-179.1 moderate 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-07/msg00092.html https://www.suse.com/security/cve/CVE-2016-9394.html CVE-2016-9394 https://bugzilla.suse.com/1010756 SUSE Bug 1010756 https://bugzilla.suse.com/1010757 SUSE Bug 1010757 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 JasPer 2.0.12 is vulnerable to a NULL pointer exception in the function jp2_encode which failed to check to see if the image contained at least one component resulting in a denial-of-service. CVE-2017-1000050 openSUSE Leap 42.2:jasper-1.900.14-179.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-1.900.14-179.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-179.1 openSUSE Leap 42.3:jasper-1.900.14-179.1 openSUSE Leap 42.3:libjasper-devel-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-1.900.14-179.1 openSUSE Leap 42.3:libjasper1-32bit-1.900.14-179.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-07/msg00092.html https://www.suse.com/security/cve/CVE-2017-1000050.html CVE-2017-1000050 https://bugzilla.suse.com/1047958 SUSE Bug 1047958 https://bugzilla.suse.com/1178702 SUSE Bug 1178702