Security update for jasper SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2833-1 Final 1 1 2016-11-17T15:15:05Z current 2016-11-17T15:15:05Z 2016-11-17T15:15:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for jasper This update for jasper to version 1.900.14 fixes several issues. These security issues were fixed: - CVE-2016-8887: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (bsc#1006836) - CVE-2016-8886: memory allocation failure in jas_malloc (jas_malloc.c) (bsc#1006599) - CVE-2016-8884,CVE-2016-8885: two null pointer dereferences in bmp_getdata (incomplete fix for CVE-2016-8690) (bsc#1007009) - CVE-2016-8883: assert in jpc_dec_tiledecode() (bsc#1006598) - CVE-2016-8882: segfault / null pointer access in jpc_pi_destroy (bsc#1006597) - CVE-2016-8881: Heap overflow in jpc_getuint16() (bsc#1006593) - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox() (bsc#1006591) - CVE-2016-8693 Double free vulnerability in mem_close (bsc#1005242) - CVE-2016-8691, CVE-2016-8692: Divide by zero in jpc_dec_process_siz (bsc#1005090) - CVE-2016-8690: Null pointer dereference in bmp_getdata triggered by crafted BMP image (bsc#1005084) - CVE-2016-2116: Memory leak in the jas_iccprof_createfrombuf function in JasPer allowed remote attackers to cause a denial of service (memory consumption) via a crafted ICC color profile in a JPEG 2000 image file (bsc#968373) - CVE-2016-2089: invalid read in the JasPer's jas_matrix_clip() function (bsc#963983) - CVE-2016-1867: Out-of-bounds Read in the JasPer's jpc_pi_nextcprl() function (bsc#961886) - CVE-2015-5221: Use-after-free (and double-free) in Jasper JPEG-200 (bsc#942553). - CVE-2015-5203: Double free corruption in JasPer JPEG-2000 implementation (bsc#941919) - CVE-2008-3522: Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer might have allowed context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf (bsc#392410) - jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (incomplete fix for CVE-2016-8887) (bsc#1006839) For additional change description please have a look at the changelog. This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html E-Mail link for openSUSE-SU-2016:2833-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 jasper-1.900.14-167.1 libjasper-devel-1.900.14-167.1 libjasper1-1.900.14-167.1 libjasper1-32bit-1.900.14-167.1 jasper-1.900.14-167.1 as a component of openSUSE Leap 42.1 libjasper-devel-1.900.14-167.1 as a component of openSUSE Leap 42.1 libjasper1-1.900.14-167.1 as a component of openSUSE Leap 42.1 libjasper1-32bit-1.900.14-167.1 as a component of openSUSE Leap 42.1 jasper-1.900.14-167.1 as a component of openSUSE Leap 42.2 libjasper-devel-1.900.14-167.1 as a component of openSUSE Leap 42.2 libjasper1-1.900.14-167.1 as a component of openSUSE Leap 42.2 libjasper1-32bit-1.900.14-167.1 as a component of openSUSE Leap 42.2 Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf. CVE-2008-3522 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2008-3522.html CVE-2008-3522 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 https://bugzilla.suse.com/392410 SUSE Bug 392410 Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image. CVE-2014-8158 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2014-8158.html CVE-2014-8158 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 https://bugzilla.suse.com/911837 SUSE Bug 911837 Double free vulnerability in the jasper_image_stop_load function in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file. CVE-2015-5203 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 moderate 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2015-5203.html CVE-2015-5203 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 https://bugzilla.suse.com/941919 SUSE Bug 941919 https://bugzilla.suse.com/942553 SUSE Bug 942553 Use-after-free vulnerability in the mif_process_cmpt function in libjasper/mif/mif_cod.c in the JasPer JPEG-2000 library before 1.900.2 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file. CVE-2015-5221 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2015-5221.html CVE-2015-5221 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 https://bugzilla.suse.com/942553 SUSE Bug 942553 Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file, a different vulnerability than CVE-2014-8137. CVE-2016-1577 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-1577.html CVE-2016-1577 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 https://bugzilla.suse.com/968373 SUSE Bug 968373 The jpc_pi_nextcprl function in JasPer 1.900.1 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG 2000 image. CVE-2016-1867 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-1867.html CVE-2016-1867 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 https://bugzilla.suse.com/961886 SUSE Bug 961886 The jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted JPEG 2000 image. CVE-2016-2089 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-2089.html CVE-2016-2089 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 https://bugzilla.suse.com/963983 SUSE Bug 963983 Memory leak in the jas_iccprof_createfrombuf function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted ICC color profile in a JPEG 2000 image file. CVE-2016-2116 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-2116.html CVE-2016-2116 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 https://bugzilla.suse.com/968373 SUSE Bug 968373 The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer before 1.900.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted BMP image in an imginfo command. CVE-2016-8690 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-8690.html CVE-2016-8690 https://bugzilla.suse.com/1005084 SUSE Bug 1005084 https://bugzilla.suse.com/1007009 SUSE Bug 1007009 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted XRsiz value in a BMP image to the imginfo command. CVE-2016-8691 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-8691.html CVE-2016-8691 https://bugzilla.suse.com/1005090 SUSE Bug 1005090 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted YRsiz value in a BMP image to the imginfo command. CVE-2016-8692 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-8692.html CVE-2016-8692 https://bugzilla.suse.com/1005090 SUSE Bug 1005090 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 Double free vulnerability in the mem_close function in jas_stream.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image to the imginfo command. CVE-2016-8693 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-8693.html CVE-2016-8693 https://bugzilla.suse.com/1005242 SUSE Bug 1005242 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-4516. Reason: This candidate is a duplicate of CVE-2011-4516. Notes: All CVE users should reference CVE-2011-4516 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2016-8880 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-8880.html CVE-2016-8880 https://bugzilla.suse.com/1006591 SUSE Bug 1006591 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-4517. Reason: This candidate is a duplicate of CVE-2011-4517. Notes: All CVE users should reference CVE-2011-4517 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2016-8881 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-8881.html CVE-2016-8881 https://bugzilla.suse.com/1006593 SUSE Bug 1006593 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The jpc_dec_tilefini function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file. CVE-2016-8882 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-8882.html CVE-2016-8882 https://bugzilla.suse.com/1006597 SUSE Bug 1006597 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The jpc_dec_tiledecode function in jpc_dec.c in JasPer before 1.900.8 allows remote attackers to cause a denial of service (assertion failure) via a crafted file. CVE-2016-8883 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-8883.html CVE-2016-8883 https://bugzilla.suse.com/1006598 SUSE Bug 1006598 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer 1.900.5 allows remote attackers to cause a denial of service (NULL pointer dereference) by calling the imginfo command with a crafted BMP image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8690. CVE-2016-8884 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-8884.html CVE-2016-8884 https://bugzilla.suse.com/1005084 SUSE Bug 1005084 https://bugzilla.suse.com/1007009 SUSE Bug 1007009 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer before 1.900.9 allows remote attackers to cause a denial of service (NULL pointer dereference) by calling the imginfo command with a crafted BMP image. CVE-2016-8885 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-8885.html CVE-2016-8885 https://bugzilla.suse.com/1005084 SUSE Bug 1005084 https://bugzilla.suse.com/1007009 SUSE Bug 1007009 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The jas_malloc function in libjasper/base/jas_malloc.c in JasPer before 1.900.11 allows remote attackers to have unspecified impact via a crafted file, which triggers a memory allocation failure. CVE-2016-8886 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-8886.html CVE-2016-8886 https://bugzilla.suse.com/1006599 SUSE Bug 1006599 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The jp2_colr_destroy function in libjasper/jp2/jp2_cod.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (NULL pointer dereference). CVE-2016-8887 openSUSE Leap 42.1:jasper-1.900.14-167.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-1.900.14-167.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-167.1 openSUSE Leap 42.2:jasper-1.900.14-167.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-1.900.14-167.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-167.1 low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html https://www.suse.com/security/cve/CVE-2016-8887.html CVE-2016-8887 https://bugzilla.suse.com/1006836 SUSE Bug 1006836 https://bugzilla.suse.com/1006839 SUSE Bug 1006839 https://bugzilla.suse.com/1178702 SUSE Bug 1178702