SB2017062122 - Multiple vulnerabilities in JasPer
Published: June 21, 2017 Updated: March 13, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Reachable Assertion (CVE-ID: CVE-2017-13749)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
There is a reachable assertion abort in the function jpc_pi_nextrpcl() in jpc/jpc_t2cod.c in JasPer 2.0.12 that will lead to a remote denial of service attack.
2) Reachable Assertion (CVE-ID: CVE-2017-13750)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
There is a reachable assertion abort in the function jpc_dec_process_siz() in jpc/jpc_dec.c:1296 in JasPer 2.0.12 that will lead to a remote denial of service attack.
3) Reachable Assertion (CVE-ID: CVE-2017-13751)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
There is a reachable assertion abort in the function calcstepsizes() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service attack.
4) Reachable Assertion (CVE-ID: CVE-2017-13752)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
There is a reachable assertion abort in the function jpc_dequantize() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service attack.
5) Reachable Assertion (CVE-ID: CVE-2017-13745)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
There is a reachable assertion abort in the function jpc_dec_process_sot() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service attack by triggering an unexpected jpc_ppmstabtostreams return value, a different vulnerability than CVE-2018-9154.
6) Reachable Assertion (CVE-ID: CVE-2017-13746)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
There is a reachable assertion abort in the function jpc_dec_process_siz() in jpc/jpc_dec.c:1297 in JasPer 2.0.12 that will lead to a remote denial of service attack.
7) Reachable Assertion (CVE-ID: CVE-2017-13747)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
There is a reachable assertion abort in the function jpc_floorlog2() in jpc/jpc_math.c in JasPer 2.0.12 that will lead to a remote denial of service attack.
8) Input validation error (CVE-ID: CVE-2017-13748)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a remote denial of service attack.
9) Out-of-bounds read (CVE-ID: CVE-2017-9782)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in JasPer 2.0.12. A remote attacker can perform a denial of service (heap-based buffer over-read and application crash) via a crafted image, related to the jp2_decode function in libjasper/jp2/jp2_dec.c.
Remediation
Install update from vendor's website.
References
- http://www.securityfocus.com/bid/100514
- https://bugzilla.redhat.com/show_bug.cgi?id=1485285
- https://security.gentoo.org/glsa/201908-03
- https://bugzilla.redhat.com/show_bug.cgi?id=1485280
- https://bugzilla.redhat.com/show_bug.cgi?id=1485283
- https://bugzilla.redhat.com/show_bug.cgi?id=1485276
- https://bugzilla.redhat.com/show_bug.cgi?id=1485274
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1485286
- https://bugzilla.redhat.com/show_bug.cgi?id=1485282
- https://bugzilla.redhat.com/show_bug.cgi?id=1485287
- https://lists.debian.org/debian-lts-announce/2018/11/msg00023.html
- https://github.com/mdadams/jasper/issues/140