Advisories » MGASA-2016-0100

Updated jasper packages fix security vulnerabilities

Publication date: 07 Mar 2016
Modification date: 07 Mar 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-1577 , CVE-2016-2089 , CVE-2016-2116

Description

Updated jasper packages fix security vulnerabilities:

The jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows remote
attackers to cause a denial of service (invalid read and application
crash) via a crafted JPEG 2000 image (CVE-2016-2089).

Jacob Baines discovered that a double free vulnerability in the
jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows
remote attackers to cause a denial of service (crash) or possibly execute
arbitrary code via a crafted ICC color profile in a JPEG 2000 image file
(CVE-2016-1577).

Tyler Hicks discovered that a memory leak in the
jas_iccprof_createfrombuf function in JasPer 1.900.1 and earlier allows
remote attackers to cause a denial of service (memory consumption) via a
crafted ICC color profile in a JPEG 2000 image file (CVE-2016-2116).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=17872
• http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html
• http://www.ubuntu.com/usn/usn-2919-1/
• https://www.cve.org/CVERecord?id=CVE-2016-1577
• https://www.cve.org/CVERecord?id=CVE-2016-2089
• https://www.cve.org/CVERecord?id=CVE-2016-2116

SRPMS

5/core

• jasper-1.900.1-20.4.mga5