{ "schema_version": "1.7.0", "id": "MGASA-2016-0100", "published": "2016-03-07T18:03:54Z", "modified": "2016-03-07T17:58:22Z", "summary": "Updated jasper packages fix security vulnerabilities", "details": "Updated jasper packages fix security vulnerabilities:\n\nThe jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows remote\nattackers to cause a denial of service (invalid read and application\ncrash) via a crafted JPEG 2000 image (CVE-2016-2089).\n\nJacob Baines discovered that a double free vulnerability in the\njas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows\nremote attackers to cause a denial of service (crash) or possibly execute\narbitrary code via a crafted ICC color profile in a JPEG 2000 image file\n(CVE-2016-1577).\n\nTyler Hicks discovered that a memory leak in the\njas_iccprof_createfrombuf function in JasPer 1.900.1 and earlier allows\nremote attackers to cause a denial of service (memory consumption) via a\ncrafted ICC color profile in a JPEG 2000 image file (CVE-2016-2116).\n", "upstream": [ "CVE-2016-1577", "CVE-2016-2089", "CVE-2016-2116" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2016-0100.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=17872" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html" }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/usn-2919-1/" } ], "affected": [ { "package": { "ecosystem": "Mageia:5", "name": "jasper", "purl": "pkg:rpm/mageia/jasper?arch=source&distro=mageia-5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.900.1-20.4.mga5" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }