ID CVE-2016-9591
Summary JasPer before version 2.0.12 is vulnerable to a use-after-free in the way it decodes certain JPEG 2000 image files resulting in a crash on the application using JasPer.
References
Vulnerable Configurations
  • Jasper Project Jasper 1.900.1
    cpe:2.3:a:jasper_project:jasper:1.900.1
  • Jasper Project Jasper 1.900.3
    cpe:2.3:a:jasper_project:jasper:1.900.3
  • Jasper Project Jasper 1.900.5
    cpe:2.3:a:jasper_project:jasper:1.900.5
  • Jasper Project Jasper 1.900.7
    cpe:2.3:a:jasper_project:jasper:1.900.7
  • Jasper Project Jasper 1.900.8
    cpe:2.3:a:jasper_project:jasper:1.900.8
  • Jasper Project Jasper 1.900.9
    cpe:2.3:a:jasper_project:jasper:1.900.9
  • Jasper Project Jasper 1.900.10
    cpe:2.3:a:jasper_project:jasper:1.900.10
  • Jasper Project Jasper 1.900.11
    cpe:2.3:a:jasper_project:jasper:1.900.11
  • Jasper Project Jasper 1.900.12
    cpe:2.3:a:jasper_project:jasper:1.900.12
  • Jasper Project Jasper 1.900.13
    cpe:2.3:a:jasper_project:jasper:1.900.13
  • Jasper Project Jasper 1.900.14
    cpe:2.3:a:jasper_project:jasper:1.900.14
  • Jasper Project Jasper 1.900.16
    cpe:2.3:a:jasper_project:jasper:1.900.16
  • JasPer Project JasPer 1.900.17
    cpe:2.3:a:jasper_project:jasper:1.900.17
  • Jasper Project Jasper 1.900.19
    cpe:2.3:a:jasper_project:jasper:1.900.19
  • Jasper Project Jasper 1.900.21
    cpe:2.3:a:jasper_project:jasper:1.900.21
  • Jasper Project Jasper 1.900.22
    cpe:2.3:a:jasper_project:jasper:1.900.22
  • Jasper Project Jasper 1.900.24
    cpe:2.3:a:jasper_project:jasper:1.900.24
  • Jasper Project Jasper 1.900.29
    cpe:2.3:a:jasper_project:jasper:1.900.29
  • Jasper Project Jasper 2.0.6
    cpe:2.3:a:jasper_project:jasper:2.0.6
  • Jasper Project Jasper 2.0.9
    cpe:2.3:a:jasper_project:jasper:2.0.9
  • Red Hat Enterprise Linux Desktop 6.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • Red Hat Enterprise Linux Server 6.0
    cpe:2.3:o:redhat:enterprise_linux_server:6.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • Red Hat Enterprise Linux Server Extended Update Support (EUS) 7.3
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3
  • Red Hat Enterprise Linux Server Extended Update Support (EUS) 7.4
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4
  • Red Hat Enterprise Linux Workstation 6.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
CVSS
Base: 4.3
Impact:
Exploitability:
CWE CWE-416
CAPEC
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0946-1.NASL
    description This update for jasper fixes the following issues: Security issues fixed : - CVE-2016-8654: Heap-based buffer overflow in QMFB code in JPC codec (bsc#1012530) - CVE-2016-9395: Missing sanity checks on the data in a SIZ marker segment (bsc#1010977). - CVE-2016-9398: jpc_math.c:94: int jpc_floorlog2(int): Assertion 'x > 0' failed. (bsc#1010979) - CVE-2016-9560: stack-based buffer overflow in jpc_tsfb_getbands2 (jpc_tsfb.c) (bsc#1011830) - CVE-2016-9583: Out of bounds heap read in jpc_pi_nextpcrl() (bsc#1015400) - CVE-2016-9591: Use-after-free on heap in jas_matrix_destroy (bsc#1015993) - CVE-2016-9600: NULL pointer Dereference due to missing check for UNKNOWN color space in JP2 encoder (bsc#1018088) - CVE-2016-10251: Use of uninitialized value in jpc_pi_nextcprl (jpc_t2cod.c) (bsc#1029497) - CVE-2017-5498: left-shift undefined behaviour (bsc#1020353) - CVE-2017-6850: NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c) (bsc#1021868) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 99232
    published 2017-04-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99232
    title SUSE SLES11 Security Update : jasper (SUSE-SU-2017:0946-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3295-1.NASL
    description It was discovered that JasPer incorrectly handled certain malformed JPEG-2000 image files. If a user or automated system using JasPer were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 100294
    published 2017-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100294
    title Ubuntu 14.04 LTS / 16.04 LTS : jasper vulnerabilities (USN-3295-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3827.NASL
    description Multiple vulnerabilities have been discovered in the JasPer library for processing JPEG-2000 images, which may result in denial of service or the execution of arbitrary code if a malformed image is processed.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 99254
    published 2017-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99254
    title Debian DSA-3827-1 : jasper - security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0084-1.NASL
    description This update for jasper fixes the following issues : - CVE-2016-8654: Heap-based buffer overflow in QMFB code in JPC codec. (bsc#1012530) - CVE-2016-9395: Invalid jasper files could lead to abort of the library caused by attacker provided image. (bsc#1010977) - CVE-2016-9398: Invalid jasper files could lead to abort of the library caused by attacker provided image. (bsc#1010979) - CVE-2016-9560: Stack-based buffer overflow in jpc_tsfb_getbands2. (bsc#1011830) - CVE-2016-9591: Use-after-free on heap in jas_matrix_destroy. (bsc#1015993) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 96387
    published 2017-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96387
    title SUSE SLED12 / SLES12 Security Update : jasper (SUSE-SU-2017:0084-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0102.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Bump release - Multiple security fixes (fixed by thoger): CVE-2015-5203 CVE-2015-5221 CVE-2016-1577 CVE-2016-1867 (CVE-2016-2089) CVE-2016-2116 CVE-2016-8654 CVE-2016-8690 CVE-2016-8691 (CVE-2016-8692) CVE-2016-8693 CVE-2016-8883 CVE-2016-8884 CVE-2016-8885 (CVE-2016-9262) CVE-2016-9387 CVE-2016-9388 CVE-2016-9389 CVE-2016-9390 (CVE-2016-9391) CVE-2016-9392 CVE-2016-9393 CVE-2016-9394 CVE-2016-9560 (CVE-2016-9583) CVE-2016-9591 CVE-2016-9600 CVE-2016-10248 CVE-2016-10249 (CVE-2016-10251) - Fix implicit declaration warning caused by security fixes above - CVE-2014-8157 - dec->numtiles off-by-one check in jpc_dec_process_sot (#1183672) - CVE-2014-8158 - unrestricted stack memory use in jpc_qmfb.c (#1183680) - CVE-2014-8137 - double-free in in jas_iccattrval_destroy (#1173567) - CVE-2014-8138 - heap overflow in jp2_decode (#1173567) - CVE-2014-9029 - incorrect component number check in COC, RGN and QCC marker segment decoders (#1171209)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 100116
    published 2017-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100116
    title OracleVM 3.3 / 3.4 : jasper (OVMSA-2017-0102)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-1208.NASL
    description From Red Hat Security Advisory 2017:1208 : An update for jasper is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard. Security Fix(es) : Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591) Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251) Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600; Gustavo Grieco for reporting CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221.
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 100089
    published 2017-05-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100089
    title Oracle Linux 6 / 7 : jasper (ELSA-2017-1208)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170509_JASPER_ON_SL6_X.NASL
    description Security Fix(es) : Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591) Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 100120
    published 2017-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100120
    title Scientific Linux Security Update : jasper on SL6.x, SL7.x i386/x86_64
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1095.NASL
    description According to the versions of the jasper package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591) - Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 100812
    published 2017-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100812
    title EulerOS 2.0 SP2 : jasper (EulerOS-SA-2017-1095)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-CFC20D5D45.NASL
    description Security fix for CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9560, CVE-2016-9591, CVE-2016-9600, CVE-2016-10251 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-05-17
    plugin id 100231
    published 2017-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100231
    title Fedora 25 : jasper (2017-cfc20d5d45)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-70.NASL
    description This update for jasper fixes the following issues : - CVE-2016-8654: Heap-based buffer overflow in QMFB code in JPC codec. (bsc#1012530) - CVE-2016-9395: Invalid jasper files could lead to abort of the library caused by attacker provided image. (bsc#1010977) - CVE-2016-9398: Invalid jasper files could lead to abort of the library caused by attacker provided image. (bsc#1010979) - CVE-2016-9560: Stack-based buffer overflow in jpc_tsfb_getbands2. (bsc#1011830) - CVE-2016-9591: Use-after-free on heap in jas_matrix_destroy. (bsc#1015993) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2017-02-28
    plugin id 96400
    published 2017-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96400
    title openSUSE Security Update : jasper (openSUSE-2017-70)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-DA0B00FD64.NASL
    description Security fix for CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9560, CVE-2016-9591, CVE-2016-9600, CVE-2016-10251 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-05-19
    plugin id 100281
    published 2017-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100281
    title Fedora 24 : jasper (2017-da0b00fd64)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-920.NASL
    description CVE-2016-9591 Use-after-free on heap in jas_matrix_destroy The vulnerability exists in code responsible for re-encoding the decoded input image file to a JP2 image. The vulnerability is caused by not setting related pointers to be null after the pointers are freed (i.e. missing Setting-Pointer-Null operations after free). The vulnerability can further cause double-free. CVE-2016-10251 Integer overflow in the jpc_pi_nextcprl function in jpc_t2cod.c in JasPer before 1.900.20 allows remote attackers to have unspecified impact via a crafted file, which triggers use of an uninitialized value. Additional fix for TEMP-CVE from last upload to avoid hassle with SIZE_MAX For Debian 7 'Wheezy', these problems have been fixed in version 1.900.1-13+deb7u6. We recommend that you upgrade your jasper packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-10
    plugin id 99694
    published 2017-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99694
    title Debian DLA-920-1 : jasper security update
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-1208.NASL
    description An update for jasper is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard. Security Fix(es) : Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591) Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251) Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600; Gustavo Grieco for reporting CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 100093
    published 2017-05-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100093
    title RHEL 6 / 7 : jasper (RHSA-2017:1208)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-1208.NASL
    description An update for jasper is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard. Security Fix(es) : Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591) Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251) Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600; Gustavo Grieco for reporting CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 101464
    published 2017-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101464
    title Virtuozzo 6 : jasper / jasper-devel / jasper-libs / jasper-utils (VZLSA-2017-1208)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-836.NASL
    description Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. ( CVE-2016-8654 , CVE-2016-9560 , CVE-2016-10249 , CVE-2015-5203 , CVE-2015-5221 , CVE-2016-1577 , CVE-2016-8690 , CVE-2016-8693 , CVE-2016-8884 , CVE-2016-8885 , CVE-2016-9262 , CVE-2016-9591 ) Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867 , CVE-2016-2089 , CVE-2016-2116 , CVE-2016-8691 , CVE-2016-8692 , CVE-2016-8883 , CVE-2016-9387 , CVE-2016-9388 , CVE-2016-9389 , CVE-2016-9390 , CVE-2016-9391 , CVE-2016-9392 , CVE-2016-9393 , CVE-2016-9394 , CVE-2016-9583 , CVE-2016-9600 , CVE-2016-10248 , CVE-2016-10251)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 100637
    published 2017-06-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100637
    title Amazon Linux AMI : jasper (ALAS-2017-836)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1094.NASL
    description According to the versions of the jasper package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591) - Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-29
    plugin id 100811
    published 2017-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100811
    title EulerOS 2.0 SP1 : jasper (EulerOS-SA-2017-1094)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201707-07.NASL
    description The remote host is affected by the vulnerability described in GLSA-201707-07 (JasPer: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in JasPer. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to open a specially crafted image file using JasPer possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 101338
    published 2017-07-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101338
    title GLSA-201707-07 : JasPer: Multiple vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-1208.NASL
    description An update for jasper is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard. Security Fix(es) : Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591) Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251) Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600; Gustavo Grieco for reporting CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 100174
    published 2017-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100174
    title CentOS 6 / 7 : jasper (CESA-2017:1208)
redhat via4
advisories
rhsa
id RHSA-2017:1208
rpms
  • jasper-0:1.900.1-30.el7_3
  • jasper-devel-0:1.900.1-30.el7_3
  • jasper-libs-0:1.900.1-30.el7_3
  • jasper-utils-0:1.900.1-30.el7_3
  • jasper-0:1.900.1-21.el6_9
  • jasper-devel-0:1.900.1-21.el6_9
  • jasper-libs-0:1.900.1-21.el6_9
  • jasper-utils-0:1.900.1-21.el6_9
refmap via4
bid 94952
confirm https://bugzilla.redhat.com/show_bug.cgi?id=1406405
debian DSA-3827
gentoo GLSA-201707-07
Last major update 09-03-2018 - 15:29
Published 09-03-2018 - 15:29
Last modified 26-03-2018 - 13:31
Back to Top