Security update for jasper SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0101-1 Final 1 1 2017-01-10T14:13:38Z current 2017-01-10T14:13:38Z 2017-01-10T14:13:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for jasper This update for jasper fixes the following issues: - CVE-2016-8654: Heap-based buffer overflow in QMFB code in JPC codec. (bsc#1012530) - CVE-2016-9395: Invalid jasper files could lead to abort of the library caused by attacker provided image. (bsc#1010977) - CVE-2016-9398: Invalid jasper files could lead to abort of the library caused by attacker provided image. (bsc#1010979) - CVE-2016-9560: Stack-based buffer overflow in jpc_tsfb_getbands2. (bsc#1011830) - CVE-2016-9591: Use-after-free on heap in jas_matrix_destroy. (bsc#1015993) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00009.html E-Mail link for openSUSE-SU-2017:0101-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 jasper-1.900.14-170.1 libjasper-devel-1.900.14-170.1 libjasper1-1.900.14-170.1 libjasper1-32bit-1.900.14-170.1 jasper-1.900.14-170.1 as a component of openSUSE Leap 42.1 libjasper-devel-1.900.14-170.1 as a component of openSUSE Leap 42.1 libjasper1-1.900.14-170.1 as a component of openSUSE Leap 42.1 libjasper1-32bit-1.900.14-170.1 as a component of openSUSE Leap 42.1 jasper-1.900.14-170.1 as a component of openSUSE Leap 42.2 libjasper-devel-1.900.14-170.1 as a component of openSUSE Leap 42.2 libjasper1-1.900.14-170.1 as a component of openSUSE Leap 42.2 libjasper1-32bit-1.900.14-170.1 as a component of openSUSE Leap 42.2 A heap-buffer overflow vulnerability was found in QMFB code in JPC codec caused by buffer being allocated with too small size. jasper versions before 2.0.0 are affected. CVE-2016-8654 openSUSE Leap 42.1:jasper-1.900.14-170.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-170.1 openSUSE Leap 42.1:libjasper1-1.900.14-170.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-170.1 openSUSE Leap 42.2:jasper-1.900.14-170.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-170.1 openSUSE Leap 42.2:libjasper1-1.900.14-170.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-170.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00009.html https://www.suse.com/security/cve/CVE-2016-8654.html CVE-2016-8654 https://bugzilla.suse.com/1012530 SUSE Bug 1012530 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.25 allows remote attackers to cause a denial of service (assertion failure) via a crafted file. CVE-2016-9395 openSUSE Leap 42.1:jasper-1.900.14-170.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-170.1 openSUSE Leap 42.1:libjasper1-1.900.14-170.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-170.1 openSUSE Leap 42.2:jasper-1.900.14-170.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-170.1 openSUSE Leap 42.2:libjasper1-1.900.14-170.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-170.1 moderate 1.5 AV:L/AC:M/Au:S/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00009.html https://www.suse.com/security/cve/CVE-2016-9395.html CVE-2016-9395 https://bugzilla.suse.com/1010977 SUSE Bug 1010977 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The jpc_floorlog2 function in jpc_math.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via unspecified vectors. CVE-2016-9398 openSUSE Leap 42.1:jasper-1.900.14-170.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-170.1 openSUSE Leap 42.1:libjasper1-1.900.14-170.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-170.1 openSUSE Leap 42.2:jasper-1.900.14-170.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-170.1 openSUSE Leap 42.2:libjasper1-1.900.14-170.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-170.1 moderate 1.5 AV:L/AC:M/Au:S/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00009.html https://www.suse.com/security/cve/CVE-2016-9398.html CVE-2016-9398 https://bugzilla.suse.com/1010979 SUSE Bug 1010979 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 Stack-based buffer overflow in the jpc_tsfb_getbands2 function in jpc_tsfb.c in JasPer 1.900.26, 1.900.27, 1.900.28, 1.900.29 and 1.900.30 allows remote attackers to have unspecified impact via a crafted image. CVE-2016-9560 openSUSE Leap 42.1:jasper-1.900.14-170.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-170.1 openSUSE Leap 42.1:libjasper1-1.900.14-170.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-170.1 openSUSE Leap 42.2:jasper-1.900.14-170.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-170.1 openSUSE Leap 42.2:libjasper1-1.900.14-170.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-170.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00009.html https://www.suse.com/security/cve/CVE-2016-9560.html CVE-2016-9560 https://bugzilla.suse.com/1011830 SUSE Bug 1011830 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 JasPer before version 2.0.12 is vulnerable to a use-after-free in the way it decodes certain JPEG 2000 image files resulting in a crash on the application using JasPer. CVE-2016-9591 openSUSE Leap 42.1:jasper-1.900.14-170.1 openSUSE Leap 42.1:libjasper-devel-1.900.14-170.1 openSUSE Leap 42.1:libjasper1-1.900.14-170.1 openSUSE Leap 42.1:libjasper1-32bit-1.900.14-170.1 openSUSE Leap 42.2:jasper-1.900.14-170.1 openSUSE Leap 42.2:libjasper-devel-1.900.14-170.1 openSUSE Leap 42.2:libjasper1-1.900.14-170.1 openSUSE Leap 42.2:libjasper1-32bit-1.900.14-170.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00009.html https://www.suse.com/security/cve/CVE-2016-9591.html CVE-2016-9591 https://bugzilla.suse.com/1015993 SUSE Bug 1015993 https://bugzilla.suse.com/1178702 SUSE Bug 1178702