Arch Linux Security Advisory ASA-201612-9
========================================
Severity: Critical
Date    : 2016-12-07
CVE-ID  : CVE-2015-5203 CVE-2015-8751 CVE-2016-2089 CVE-2016-8690
          CVE-2016-8691 CVE-2016-8692 CVE-2016-8693 CVE-2016-8884
          CVE-2016-8885 CVE-2016-8887 CVE-2016-9262 CVE-2016-9387
          CVE-2016-9388 CVE-2016-9557 CVE-2016-9560
Package : jasper
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package jasper before version 1.900.31-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.

Resolution
=========
Upgrade to 1.900.31-1.

# pacman -Syu "jasper>=1.900.31-1"

The problems have been fixed upstream in version 1.900.31.

Workaround
=========
None.

Description
==========
- CVE-2015-5203 (arbitrary code execution)

A double free flaw was found in the way JasPer's
jasper_image_stop_load() function parsed certain JPEG 2000 image files.
A specially crafted file could cause an application using JasPer to
crash or possibly execute arbitrary code.

- CVE-2015-8751 (denial of service)

An integer overflow flaw was found in the way the JasPer's library
jas_matrix_create() function parsed certain JPEG 2000 image files. A
specially crafted file could cause an application using JasPer to
crash.

- CVE-2016-2089 (denial of service)

The jas_matrix_clip function in jas_seq.c allows remote attackers to
cause a denial of service (invalid read and application crash) via a
crafted JPEG 2000 image.

- CVE-2016-8690 (denial of service)

A null pointer dereference vulnerability was found in bmp_getdata
triggered by invoking imginfo command on specially crafted BMP image.

- CVE-2016-8691 (denial of service)

A division by zero vulnerability was found in jpc_dec_process_siz
triggered by invoking imginfo command on specially crafted file.

- CVE-2016-8692 (denial of service)

A division by zero vulnerability was found in jpc_dec_process_siz
triggered by invoking imginfo command on specially crafted file.

- CVE-2016-8693 (denial of service)

A double free vulnerability was found in mem_close in jas_stream.c
triggered by invoking imginfo command on specially crafted image file.

- CVE-2016-8884 (denial of service)

A null pointer dereference vulnerability has been discovered in
bmp_getdata in bmp_dec.c.

- CVE-2016-8885 (denial of service)

A null pointer dereference vulnerability has been discovered in
bmp_getdata in bmp_dec.c.

- CVE-2016-8887 (denial of service)

A null pointer dereference vulnerability was found in jp2_colr_destroy
in jp2_cod.c leading to application crash.

- CVE-2016-9262 (arbitrary code execution)

A number of overflows were found in jasper causing use after free
vulnerability triggered by a crafted image.

- CVE-2016-9387 (denial of service)

An integer overflow in jpc_dec_process_siz was found that can be
triggered by crafted image file when given as input to imginfo.

- CVE-2016-9388 (denial of service)

An improper error handling was found in the RAS encoder/decoder
triggering assertion tests that result in denial of service.

- CVE-2016-9557 (denial of service)

A signed integer overflow vulnerability has been discovered in
jas_image.c triggered by a crafted image. An option max_samples has
been added to the BMP and JPEG decoders to restrict the maximum size of
image that they can decode. This change was made as a (possibly
temporary) fix to address security concerns.

- CVE-2016-9560 (arbitrary code execution)

A  stack buffer overflow vulnerability has been discovered in
jpc/jpc_dec.c duo to an out of bounds array write triggered by a
crafted image.

Impact
=====
A remote attacker is able to perform a denial of service attack or
execute arbitrary code on the affected host.

References
=========
http://seclists.org/oss-sec/2015/q3/366
https://bugzilla.redhat.com/show_bug.cgi?id=1254242#c3
http://seclists.org/oss-sec/2016/q1/44
https://bugzilla.redhat.com/show_bug.cgi?id=1294039
http://www.openwall.com/lists/oss-security/2016/10/16/14
https://blogs.gentoo.org/ago/2016/10/16/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c/
https://github.com/jasper-software/jasper/commit/8f62b4761711d036fd8964df256b938c809b7fca
https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020
https://github.com/mdadams/jasper/commit/44a524e367597af58d6265ae2014468b334d0309
https://github.com/jasper-software/jasper/commit/5d66894d2313e3f3469f19066
http://seclists.org/oss-sec/2016/q4/213
https://github.com/jasper-software/jasper/commit/e24bdc716c3327b067c551bc6cfb97fd2370358d
http://seclists.org/oss-sec/2016/q4/215
https://github.com/jasper-software/jasper/commit/634ce8e8a5accc0fa05dd2
http://seclists.org/oss-sec/2016/q4/385
https://github.com/jasper-software/jasper/commit/d91198abd00fc435a397fe6bad906a4c1748e9cf
http://seclists.org/oss-sec/2016/q4/441
https://github.com/jasper-software/jasper/commit/411a4068f8c464e883358bf403a3e25158863823
https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a
http://www.openwall.com/lists/oss-security/2016/11/23/2
https://github.com/jasper-software/jasper/commit/1abc2e5a401a4bf1d5ca4df91358ce5df111f495
http://www.openwall.com/lists/oss-security/2016/11/23/5
https://access.redhat.com/security/cve/CVE-2015-5203
https://access.redhat.com/security/cve/CVE-2015-8751
https://access.redhat.com/security/cve/CVE-2016-2089
https://access.redhat.com/security/cve/CVE-2016-8690
https://access.redhat.com/security/cve/CVE-2016-8691
https://access.redhat.com/security/cve/CVE-2016-8692
https://access.redhat.com/security/cve/CVE-2016-8693
https://access.redhat.com/security/cve/CVE-2016-8884
https://access.redhat.com/security/cve/CVE-2016-8885
https://access.redhat.com/security/cve/CVE-2016-8887
https://access.redhat.com/security/cve/CVE-2016-9262
https://access.redhat.com/security/cve/CVE-2016-9387
https://access.redhat.com/security/cve/CVE-2016-9388
https://access.redhat.com/security/cve/CVE-2016-9557
https://access.redhat.com/security/cve/CVE-2016-9560

ArchLinux: 201612-9: jasper: multiple issues

December 9, 2016

Summary

- CVE-2015-5203 (arbitrary code execution) A double free flaw was found in the way JasPer's jasper_image_stop_load() function parsed certain JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or possibly execute arbitrary code.
- CVE-2015-8751 (denial of service)
An integer overflow flaw was found in the way the JasPer's library jas_matrix_create() function parsed certain JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
- CVE-2016-2089 (denial of service)
The jas_matrix_clip function in jas_seq.c allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted JPEG 2000 image.
- CVE-2016-8690 (denial of service)
A null pointer dereference vulnerability was found in bmp_getdata triggered by invoking imginfo command on specially crafted BMP image.
- CVE-2016-8691 (denial of service)
A division by zero vulnerability was found in jpc_dec_process_siz triggered by invoking imginfo command on specially crafted file.
- CVE-2016-8692 (denial of service)
A division by zero vulnerability was found in jpc_dec_process_siz triggered by invoking imginfo command on specially crafted file.
- CVE-2016-8693 (denial of service)
A double free vulnerability was found in mem_close in jas_stream.c triggered by invoking imginfo command on specially crafted image file.
- CVE-2016-8884 (denial of service)
A null pointer dereference vulnerability has been discovered in bmp_getdata in bmp_dec.c.
- CVE-2016-8885 (denial of service)
A null pointer dereference vulnerability has been discovered in bmp_getdata in bmp_dec.c.
- CVE-2016-8887 (denial of service)
A null pointer dereference vulnerability was found in jp2_colr_destroy in jp2_cod.c leading to application crash.
- CVE-2016-9262 (arbitrary code execution)
A number of overflows were found in jasper causing use after free vulnerability triggered by a crafted image.
- CVE-2016-9387 (denial of service)
An integer overflow in jpc_dec_process_siz was found that can be triggered by crafted image file when given as input to imginfo.
- CVE-2016-9388 (denial of service)
An improper error handling was found in the RAS encoder/decoder triggering assertion tests that result in denial of service.
- CVE-2016-9557 (denial of service)
A signed integer overflow vulnerability has been discovered in jas_image.c triggered by a crafted image. An option max_samples has been added to the BMP and JPEG decoders to restrict the maximum size of image that they can decode. This change was made as a (possibly temporary) fix to address security concerns.
- CVE-2016-9560 (arbitrary code execution)
A stack buffer overflow vulnerability has been discovered in jpc/jpc_dec.c duo to an out of bounds array write triggered by a crafted image.

Resolution

Upgrade to 1.900.31-1. # pacman -Syu "jasper>=1.900.31-1"
The problems have been fixed upstream in version 1.900.31.

References

http://seclists.org/oss-sec/2015/q3/366 https://bugzilla.redhat.com/show_bug.cgi?id=1254242#c3 http://seclists.org/oss-sec/2016/q1/44 https://bugzilla.redhat.com/show_bug.cgi?id=1294039 http://www.openwall.com/lists/oss-security/2016/10/16/14 https://blogs.gentoo.org/ago/2016/10/16/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c/ https://github.com/jasper-software/jasper/commit/8f62b4761711d036fd8964df256b938c809b7fca https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020 https://github.com/mdadams/jasper/commit/44a524e367597af58d6265ae2014468b334d0309 https://github.com/jasper-software/jasper/commit/5d66894d2313e3f3469f19066 http://seclists.org/oss-sec/2016/q4/213 https://github.com/jasper-software/jasper/commit/e24bdc716c3327b067c551bc6cfb97fd2370358d http://seclists.org/oss-sec/2016/q4/215 https://github.com/jasper-software/jasper/commit/634ce8e8a5accc0fa05dd2 http://seclists.org/oss-sec/2016/q4/385 https://github.com/jasper-software/jasper/commit/d91198abd00fc435a397fe6bad906a4c1748e9cf http://seclists.org/oss-sec/2016/q4/441 https://github.com/jasper-software/jasper/commit/411a4068f8c464e883358bf403a3e25158863823 https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a http://www.openwall.com/lists/oss-security/2016/11/23/2 https://github.com/jasper-software/jasper/commit/1abc2e5a401a4bf1d5ca4df91358ce5df111f495 http://www.openwall.com/lists/oss-security/2016/11/23/5 https://access.redhat.com/security/cve/CVE-2015-5203 https://access.redhat.com/security/cve/CVE-2015-8751 https://access.redhat.com/security/cve/CVE-2016-2089 https://access.redhat.com/security/cve/CVE-2016-8690 https://access.redhat.com/security/cve/CVE-2016-8691 https://access.redhat.com/security/cve/CVE-2016-8692 https://access.redhat.com/security/cve/CVE-2016-8693 https://access.redhat.com/security/cve/CVE-2016-8884 https://access.redhat.com/security/cve/CVE-2016-8885 https://access.redhat.com/security/cve/CVE-2016-8887 https://access.redhat.com/security/cve/CVE-2016-9262 https://access.redhat.com/security/cve/CVE-2016-9387 https://access.redhat.com/security/cve/CVE-2016-9388 https://access.redhat.com/security/cve/CVE-2016-9557 https://access.redhat.com/security/cve/CVE-2016-9560

Severity
CVE-2016-8691 CVE-2016-8692 CVE-2016-8693 CVE-2016-8884
CVE-2016-8885 CVE-2016-8887 CVE-2016-9262 CVE-2016-9387
CVE-2016-9388 CVE-2016-9557 CVE-2016-9560
Package : jasper
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News