This update for jasper fixes the following issues:
Update to 4.2.8:
- CVE-2025-8837: Fixed a bug in the JPC decoder that could cause bad memory accesses if the debug level is set sufficiently high (bsc#1247901).
- CVE-2025-8836: Added some missing range checking on several coding parameters in the JPC encoder (bsc#1247902).
- CVE-2025-8835: Added a check for a missing color component in the jas_image_chclrspc function (bsc#1247904).
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-223=1
- openSUSE Leap 16.0:
jasper-4.2.8-160000.1.1
libjasper-devel-4.2.8-160000.1.1
libjasper7-4.2.8-160000.1.1
* bsc#1247901
* bsc#1247902
* bsc#1247904
References:
* https://www.suse.com/security/cve/CVE-2025-8835.html
* https://www.suse.com/security/cve/CVE-2025-8836.html
* https://www.suse.com/security/cve/CVE-2025-8837.html
Get the latest Linux and open source security news straight to your inbox.