ID CVE-2008-3520
Summary Multiple integer overflows in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via a crafted image file, related to integer multiplication for memory allocation.
References
Vulnerable Configurations
  • Jasper Project Jasper 1.900.1
    cpe:2.3:a:jasper_project:jasper:1.900.1
CVSS
Base: 9.3 (as of 03-10-2008 - 08:22)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200812-18.NASL
    description The remote host is affected by the vulnerability described in GLSA-200812-18 (JasPer: User-assisted execution of arbitrary code) Marc Espie and Christian Weisgerber have discovered multiple vulnerabilities in JasPer: Multiple integer overflows might allow for insufficient memory allocation, leading to heap-based buffer overflows (CVE-2008-3520). The jas_stream_printf() function in libjasper/base/jas_stream.c uses vsprintf() to write user-provided data to a static to a buffer, leading to an overflow (CVE-2008-3522). Impact : Remote attackers could entice a user or automated system to process specially crafted jpeg2k files with an application using JasPer, possibly leading to the execution of arbitrary code. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 35189
    published 2008-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35189
    title GLSA-200812-18 : JasPer: User-assisted execution of arbitrary code
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0698.NASL
    description Updated rhevm-spice-client packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Virtualization Manager 3. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat Enterprise Virtualization Manager provides access to virtual machines using SPICE. These SPICE client packages provide the SPICE client and usbclerk service for both Windows 32-bit operating systems and Windows 64-bit operating systems. This update adds support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails. This can prevent a forceful downgrade of the communication to SSL 3.0. The SSL 3.0 protocol was found to be vulnerable to the padding oracle attack when using block cipher suites in cipher block chaining (CBC) mode. This issue is identified as CVE-2014-3566, and also known under the alias POODLE. This SSL 3.0 protocol flaw will not be addressed in a future update; it is recommended that users configure their applications to require at least TLS protocol version 1.0 for secure communication. For additional information about this flaw, see the Knowledgebase article at https://access.redhat.com/articles/1232123 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-8138, CVE-2014-8157, CVE-2014-8158, CVE-2014-9029, CVE-2014-8137, CVE-2011-4516, CVE-2011-4517, CVE-2008-3520, CVE-2008-3522) Red Hat would like to thank oCERT for reporting CVE-2014-8137, CVE-2014-8138, CVE-2014-8157, CVE-2014-8158, CVE-2014-9029, CVE-2011-4516, and CVE-2011-4517. oCERT acknowledges Jose Duart of the Google Security Team as the original reporter of CVE-2014-8137 and CVE-2014-8138; and pyddeh as the original reporter of CVE-2014-8157 and CVE-2014-8158. The mingw-openssl and mingw-jasper packages have been upgraded to the latest upstream version, which provides a number of bug fixes and enhancements over the previous version. (BZ#1187585) This update also fixes the following bugs : * Previously, a guest system installed with tools incorrectly always started in full screen mode, even when the 'Open in Full Screen' option was unchecked in console options. Now, when connecting in window mode with the option unchecked, the guest system starts in a window as expected. (BZ#1172126) * Prior to this update, copying and pasting of images from the client to the guest did not work when spice-gtk was built from upstream. Now, images can be copied and pasted without problems. (BZ#1187270) In addition, this update adds the following enhancement : * Administrators now have the option of automatic multiuser installation of virt-viewer onto many client workstations. (BZ#1187272) All rhevm-spice-client users are advised to upgrade to these updated packages, which correct these issues and add these enhancement.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 81969
    published 2015-03-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81969
    title RHEL 6 : rhevm-spice-client (RHSA-2015:0698) (POODLE)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-742-1.NASL
    description It was discovered that JasPer did not correctly handle memory allocation when parsing certain malformed JPEG2000 images. If a user were tricked into opening a specially crafted image with an application that uses libjasper, an attacker could cause a denial of service and possibly execute arbitrary code with the user's privileges. (CVE-2008-3520) It was discovered that JasPer created temporary files in an insecure way. Local users could exploit a race condition and cause a denial of service in libjasper applications. (CVE-2008-3521) It was discovered that JasPer did not correctly handle certain formatting operations. If a user were tricked into opening a specially crafted image with an application that uses libjasper, an attacker could cause a denial of service and possibly execute arbitrary code with the user's privileges. (CVE-2008-3522). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 37359
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37359
    title Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : jasper vulnerabilities (USN-742-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_8FF84335A7DA11E2B3F5003067C2616F.NASL
    description Fedora reports : JasPer fails to properly decode marker segments and other sections in malformed JPEG2000 files. Malformed inputs can cause heap buffer overflows which in turn may result in execution of attacker-controlled code.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 66012
    published 2013-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66012
    title FreeBSD : jasper -- buffer overflow (8ff84335-a7da-11e2-b3f5-003067c2616f)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_JASPER-5782.NASL
    description Multiple, potentially dangerous integer overflows, buffer overflows and a problem with temporary files have been fixed. (CVE-2008-3520 / CVE-2008-3521 / CVE-2008-3522)
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 34968
    published 2008-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34968
    title SuSE 10 Security Update : jasper (ZYPP Patch Number 5782)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-317.NASL
    description Multiple security vulnerabilities has been identified and fixed in netpbm : Multiple integer overflows in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via a crafted image file, related to integer multiplication for memory allocation (CVE-2008-3520). Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf (CVE-2008-3522). pamperspective in Netpbm before 10.35.48 does not properly calculate a window height, which allows context-dependent attackers to cause a denial of service (crash) via a crafted image file that triggers an out-of-bounds read (CVE-2008-4799). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update fixes this vulnerability.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 43020
    published 2009-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43020
    title Mandriva Linux Security Advisory : netpbm (MDVSA-2009:317)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_JASPER-5771.NASL
    description Multiple, potentially dangerous integer overflows, buffer overflows and a problem with temporary files have been fixed (CVE-2008-3520, CVE-2008-3521, CVE-2008-3522).
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 34982
    published 2008-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34982
    title openSUSE 10 Security Update : jasper (jasper-5771)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-142.NASL
    description Multiple security vulnerabilities has been identified and fixed in jasper : The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files, as originally demonstrated using imagemagick convert (CVE-2007-2721). Multiple integer overflows in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via a crafted image file, related to integer multiplication for memory allocation (CVE-2008-3520). The jas_stream_tmpfile function in libjasper/base/jas_stream.c in JasPer 1.900.1 allows local users to overwrite arbitrary files via a symlink attack on a tmp.XXXXXXXXXX temporary file (CVE-2008-3521). Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf (CVE-2008-3522). The updated packages have been patched to prevent this. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 39552
    published 2009-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39552
    title Mandriva Linux Security Advisory : jasper (MDVSA-2009:142-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1317-1.NASL
    description It was discovered that Ghostscript did not correctly handle memory allocation when parsing certain malformed JPEG-2000 images. If a user or automated system were tricked into opening a specially crafted image, an attacker could cause a denial of service and possibly execute arbitrary code with user privileges. (CVE-2008-3520) It was discovered that Ghostscript did not correctly handle certain formatting operations when parsing JPEG-2000 images. If a user or automated system were tricked into opening a specially crafted image, an attacker could cause a denial of service and possibly execute arbitrary code with user privileges. (CVE-2008-3522) It was discovered that Ghostscript incorrectly handled certain malformed TrueType fonts. If a user or automated system were tricked into opening a document containing a specially crafted font, an attacker could cause a denial of service and possibly execute arbitrary code with user privileges. This issue only affected Ubuntu 8.04 LTS. (CVE-2009-3743) It was discovered that Ghostscript incorrectly handled certain malformed Type 2 fonts. If a user or automated system were tricked into opening a document containing a specially crafted font, an attacker could cause a denial of service and possibly execute arbitrary code with user privileges. This issue only affected Ubuntu 8.04 LTS. (CVE-2010-4054) Jonathan Foote discovered that Ghostscript incorrectly handled certain malformed JPEG-2000 image files. If a user or automated system were tricked into opening a specially crafted JPEG-2000 image file, an attacker could cause Ghostscript to crash or possibly execute arbitrary code with user privileges. (CVE-2011-4516, CVE-2011-4517). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 57436
    published 2012-01-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57436
    title Ubuntu 8.04 LTS / 10.04 LTS / 10.10 : ghostscript vulnerabilities (USN-1317-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_JASPER-081114.NASL
    description Multiple, potentially dangerous integer overflows, buffer overflows and a problem with temporary files have been fixed (CVE-2008-3520, CVE-2008-3521, CVE-2008-3522).
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 39995
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39995
    title openSUSE Security Update : jasper (jasper-303)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12295.NASL
    description Multiple potentially dangerous integer overflows, buffer overflows, and a problem with temporary files have been fixed. CVE-2008-3520, CVE-2008-3521, CVE-2008-3522)
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 41255
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41255
    title SuSE9 Security Update : jasper (YOU Patch Number 12295)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-0012.NASL
    description Updated netpbm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The netpbm package contains a library of functions for editing and converting between various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps), and others. An input validation flaw and multiple integer overflows were discovered in the JasPer library providing support for JPEG-2000 image format and used in the jpeg2ktopam and pamtojpeg2k converters. An attacker could create a carefully-crafted JPEG file which could cause jpeg2ktopam to crash or, possibly, execute arbitrary code as the user running jpeg2ktopam. (CVE-2007-2721, CVE-2008-3520) All users are advised to upgrade to these updated packages which contain backported patches which resolve these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 35650
    published 2009-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35650
    title CentOS 4 : netpbm (CESA-2009:0012)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-144.NASL
    description Multiple security vulnerabilities has been identified and fixed in ghostscript : Multiple integer overflows in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via a crafted image file, related to integer multiplication for memory allocation (CVE-2008-3520). Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf (CVE-2008-3522). Previousely the ghostscript packages were statically built against a bundled and private copy of the jasper library. This update makes ghostscript link against the shared system jasper library which makes it easier to address presumptive future security issues in the jasper library.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 39562
    published 2009-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39562
    title Mandriva Linux Security Advisory : ghostscript (MDVSA-2009:144)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-0012.NASL
    description From Red Hat Security Advisory 2009:0012 : Updated netpbm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The netpbm package contains a library of functions for editing and converting between various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps), and others. An input validation flaw and multiple integer overflows were discovered in the JasPer library providing support for JPEG-2000 image format and used in the jpeg2ktopam and pamtojpeg2k converters. An attacker could create a carefully-crafted JPEG file which could cause jpeg2ktopam to crash or, possibly, execute arbitrary code as the user running jpeg2ktopam. (CVE-2007-2721, CVE-2008-3520) All users are advised to upgrade to these updated packages which contain backported patches which resolve these issues.
    last seen 2019-02-21
    modified 2016-05-06
    plugin id 67788
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67788
    title Oracle Linux 4 / 5 : netpbm (ELSA-2009-0012)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090211_NETPBM_ON_SL4_X.NASL
    description An input validation flaw and multiple integer overflows were discovered in the JasPer library providing support for JPEG-2000 image format and used in the jpeg2ktopam and pamtojpeg2k converters. An attacker could create a carefully-crafted JPEG file which could cause jpeg2ktopam to crash or, possibly, execute arbitrary code as the user running jpeg2ktopam. (CVE-2007-2721, CVE-2008-3520)
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60534
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60534
    title Scientific Linux Security Update : netpbm on SL4.x, SL5.x i386/x86_64
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-311.NASL
    description Multiple security vulnerabilities has been identified and fixed in ghostscript : A buffer underflow in Ghostscript's CCITTFax decoding filter allows remote attackers to cause denial of service and possibly to execute arbitrary by using a crafted PDF file (CVE-2007-6725). Buffer overflow in Ghostscript's BaseFont writer module allows remote attackers to cause a denial of service and possibly to execute arbitrary code via a crafted Postscript file (CVE-2008-6679). Multiple interger overflows in Ghostsript's International Color Consortium Format Library (icclib) allows attackers to cause denial of service (heap-based buffer overflow and application crash) and possibly execute arbitrary code by using either a PostScript or PDF file with crafte embedded images (CVE-2009-0583, CVE-2009-0584). Multiple interger overflows in Ghostsript's International Color Consortium Format Library (icclib) allows attackers to cause denial of service (heap-based buffer overflow and application crash) and possibly execute arbitrary code by using either a PostScript or PDF file with crafte embedded images. Note: this issue exists because of an incomplete fix for CVE-2009-0583 (CVE-2009-0792). Heap-based overflow in Ghostscript's JBIG2 decoding library allows attackers to cause denial of service and possibly to execute arbitrary code by using a crafted PDF file (CVE-2009-0196). Multiple integer overflows in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via a crafted image file, related to integer multiplication for memory allocation (CVE-2008-3520). Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf (CVE-2008-3522). Previousely the ghostscript packages were statically built against a bundled and private copy of the jasper library. This update makes ghostscript link against the shared system jasper library which makes it easier to address presumptive future security issues in the jasper library. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides fixes for that vulnerabilities.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 42997
    published 2009-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42997
    title Mandriva Linux Security Advisory : ghostscript (MDVSA-2009:311)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-10761.NASL
    description - Tue Oct 13 2009 Rex Dieter - 1.900.1-13 - CVE-2008-3520 jasper: multiple integer overflows in jas_alloc calls (#461476) - CVE-2008-3522 jasper: possible buffer overflow in jas_stream_printf() (#461478) - Fri Jul 24 2009 Fedora Release Engineering - 1.900.1-12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - Sat Jul 18 2009 Rex Dieter - 1.900.1-11 - FTBFS jasper-1.900.1-10.fc11 (#511743) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 42275
    published 2009-10-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42275
    title Fedora 11 : jasper-1.900.1-13.fc11 (2009-10761)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2015-302-02.NASL
    description New jasper packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen 2019-02-21
    modified 2018-06-29
    plugin id 86663
    published 2015-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86663
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : jasper (SSA:2015-302-02)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-10737.NASL
    description - Tue Oct 13 2009 Rex Dieter - 1.900.1-13 - CVE-2008-3520 jasper: multiple integer overflows in jas_alloc calls (#461476) - CVE-2008-3522 jasper: possible buffer overflow in jas_stream_printf() (#461478) - Fri Jul 24 2009 Fedora Release Engineering - 1.900.1-12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - Sat Jul 18 2009 Rex Dieter - 1.900.1-11 - FTBFS jasper-1.900.1-10.fc11 (#511743) - Wed Feb 25 2009 Fedora Release Engineering - 1.900.1-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 42274
    published 2009-10-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42274
    title Fedora 10 : jasper-1.900.1-13.fc10 (2009-10737)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-0012.NASL
    description Updated netpbm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The netpbm package contains a library of functions for editing and converting between various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps), and others. An input validation flaw and multiple integer overflows were discovered in the JasPer library providing support for JPEG-2000 image format and used in the jpeg2ktopam and pamtojpeg2k converters. An attacker could create a carefully-crafted JPEG file which could cause jpeg2ktopam to crash or, possibly, execute arbitrary code as the user running jpeg2ktopam. (CVE-2007-2721, CVE-2008-3520) All users are advised to upgrade to these updated packages which contain backported patches which resolve these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 35652
    published 2009-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35652
    title RHEL 4 / 5 : netpbm (RHSA-2009:0012)
oval via4
accepted 2013-04-29T04:02:10.176-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Multiple integer overflows in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via a crafted image file, related to integer multiplication for memory allocation.
family unix
id oval:org.mitre.oval:def:10141
status accepted
submitted 2010-07-09T03:56:16-04:00
title Multiple integer overflows in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via a crafted image file, related to integer multiplication for memory allocation.
version 24
redhat via4
advisories
  • bugzilla
    id 461476
    title CVE-2008-3520 jasper: multiple integer overflows in jas_alloc calls
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhsa:tst:20060016001
      • OR
        • AND
          • comment netpbm is earlier than 0:10.25-2.1.el4_7.4
            oval oval:com.redhat.rhsa:tst:20090012002
          • comment netpbm is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20080131003
        • AND
          • comment netpbm-devel is earlier than 0:10.25-2.1.el4_7.4
            oval oval:com.redhat.rhsa:tst:20090012006
          • comment netpbm-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20080131005
        • AND
          • comment netpbm-progs is earlier than 0:10.25-2.1.el4_7.4
            oval oval:com.redhat.rhsa:tst:20090012004
          • comment netpbm-progs is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20080131007
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhsa:tst:20070055001
      • OR
        • AND
          • comment netpbm is earlier than 0:10.35-6.1.el5_3.1
            oval oval:com.redhat.rhsa:tst:20090012009
          • comment netpbm is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20090012010
        • AND
          • comment netpbm-devel is earlier than 0:10.35-6.1.el5_3.1
            oval oval:com.redhat.rhsa:tst:20090012013
          • comment netpbm-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20090012014
        • AND
          • comment netpbm-progs is earlier than 0:10.35-6.1.el5_3.1
            oval oval:com.redhat.rhsa:tst:20090012011
          • comment netpbm-progs is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20090012012
    rhsa
    id RHSA-2009:0012
    released 2009-02-11
    severity Moderate
    title RHSA-2009:0012: netpbm security update (Moderate)
  • rhsa
    id RHSA-2015:0698
rpms
  • netpbm-0:10.25-2.1.el4_7.4
  • netpbm-devel-0:10.25-2.1.el4_7.4
  • netpbm-progs-0:10.25-2.1.el4_7.4
  • netpbm-0:10.35-6.1.el5_3.1
  • netpbm-devel-0:10.35-6.1.el5_3.1
  • netpbm-progs-0:10.35-6.1.el5_3.1
refmap via4
bid 31470
gentoo GLSA-200812-18
mandriva
  • MDVSA-2009:142
  • MDVSA-2009:144
  • MDVSA-2009:164
misc http://bugs.gentoo.org/show_bug.cgi?id=222819
secunia
  • 33173
  • 34391
slackware SSA:2015-302-02
ubuntu USN-742-1
xf jasper-image-file-bo(45621)
Last major update 06-12-2016 - 21:59
Published 02-10-2008 - 14:18
Last modified 28-09-2017 - 21:31
Back to Top