2018-06-28
ALT-BU-2018-3328-3
Branch sisyphus update bulletin.
Closed bugs
Ошибка при смене пароля. Обратитесь к администратору.
Closed bugs
Содержит файлы шрифтов, содержащиеся в пакете fonts-ttf-dejavu
Closed bugs
Содержит файлы шрифтов, содержащиеся в пакете fonts-ttf-dejavu
Closed vulnerabilities
Published: 2017-03-15
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-10251
Integer overflow in the jpc_pi_nextcprl function in jpc_t2cod.c in JasPer before 1.900.20 allows remote attackers to have unspecified impact via a crafted file, which triggers use of an uninitialized value.
Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (7.8)Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- http://www.debian.org/security/2017/dsa-3827
- http://www.securityfocus.com/bid/97584
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/04/jasper-use-of-uninitialized-value-in-jpc_pi_nextcprl-jpc_t2cod-c/
- https://github.com/mdadams/jasper/commit/1f0dfe5a42911b6880a1445f13f6d615ddb55387
- https://www.oracle.com/security-alerts/cpuapr2020.html
- http://www.debian.org/security/2017/dsa-3827
- http://www.securityfocus.com/bid/97584
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/04/jasper-use-of-uninitialized-value-in-jpc_pi_nextcprl-jpc_t2cod-c/
- https://github.com/mdadams/jasper/commit/1f0dfe5a42911b6880a1445f13f6d615ddb55387
- https://www.oracle.com/security-alerts/cpuapr2020.html
Published: 2018-08-01
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2016-8654
A heap-buffer overflow vulnerability was found in QMFB code in JPC codec caused by buffer being allocated with too small size. jasper versions before 2.0.0 are affected.
Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (7.8)Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- http://www.securityfocus.com/bid/94583
- https://access.redhat.com/errata/RHSA-2017:1208
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8654
- https://github.com/mdadams/jasper/commit/4a59cfaf9ab3d48fca4a15c0d2674bf7138e3d1a
- https://github.com/mdadams/jasper/issues/93
- https://github.com/mdadams/jasper/issues/94
- https://www.debian.org/security/2017/dsa-3785
- http://www.securityfocus.com/bid/94583
- https://access.redhat.com/errata/RHSA-2017:1208
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8654
- https://github.com/mdadams/jasper/commit/4a59cfaf9ab3d48fca4a15c0d2674bf7138e3d1a
- https://github.com/mdadams/jasper/issues/93
- https://github.com/mdadams/jasper/issues/94
- https://www.debian.org/security/2017/dsa-3785
Published: 2017-02-15
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-8690
The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer before 1.900.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted BMP image in an imginfo command.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.5)Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- http://www.openwall.com/lists/oss-security/2016/08/23/6
- http://www.openwall.com/lists/oss-security/2016/10/16/14
- http://www.securityfocus.com/bid/93590
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/10/16/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c/
- https://bugzilla.redhat.com/show_bug.cgi?id=1385499
- https://github.com/mdadams/jasper/commit/8f62b4761711d036fd8964df256b938c809b7fca
- https://lists.debian.org/debian-lts-announce/2018/11/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22FCKKHQCQ3S6TZY5G44EFDTMWOJXJRD/
- http://www.openwall.com/lists/oss-security/2016/08/23/6
- http://www.openwall.com/lists/oss-security/2016/10/16/14
- http://www.securityfocus.com/bid/93590
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/10/16/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c/
- https://bugzilla.redhat.com/show_bug.cgi?id=1385499
- https://github.com/mdadams/jasper/commit/8f62b4761711d036fd8964df256b938c809b7fca
- https://lists.debian.org/debian-lts-announce/2018/11/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22FCKKHQCQ3S6TZY5G44EFDTMWOJXJRD/
Published: 2017-03-23
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-9262
Multiple integer overflows in the (1) jas_realloc function in base/jas_malloc.c and (2) mem_resize function in base/jas_stream.c in JasPer before 1.900.22 allow remote attackers to cause a denial of service via a crafted image, which triggers use after free vulnerabilities.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.5)Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- http://www.openwall.com/lists/oss-security/2016/11/10/4
- http://www.securityfocus.com/bid/94224
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/07/jasper-use-after-free-in-jas_realloc-jas_malloc-c
- https://bugzilla.redhat.com/show_bug.cgi?id=1393882
- https://github.com/mdadams/jasper/commit/634ce8e8a5accc0fa05dd2c20d42b4749d4b2735
- https://security.gentoo.org/glsa/201707-07
- https://usn.ubuntu.com/3693-1/
- http://www.openwall.com/lists/oss-security/2016/11/10/4
- http://www.securityfocus.com/bid/94224
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/07/jasper-use-after-free-in-jas_realloc-jas_malloc-c
- https://bugzilla.redhat.com/show_bug.cgi?id=1393882
- https://github.com/mdadams/jasper/commit/634ce8e8a5accc0fa05dd2c20d42b4749d4b2735
- https://security.gentoo.org/glsa/201707-07
- https://usn.ubuntu.com/3693-1/
Published: 2017-03-23
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-9388
The ras_getcmap function in ras_dec.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a crafted image file.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.5)Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94371
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396962
- https://github.com/mdadams/jasper/commit/411a4068f8c464e883358bf403a3e25158863823
- https://usn.ubuntu.com/3693-1/
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94371
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396962
- https://github.com/mdadams/jasper/commit/411a4068f8c464e883358bf403a3e25158863823
- https://usn.ubuntu.com/3693-1/
Published: 2017-03-23
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-9389
The jpc_irct and jpc_iict functions in jpc_mct.c in JasPer before 1.900.14 allow remote attackers to cause a denial of service (assertion failure).
Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94371
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396963
- https://github.com/mdadams/jasper/commit/dee11ec440d7908d1daf69f40a3324b27cf213ba
- https://usn.ubuntu.com/3693-1/
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94371
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396963
- https://github.com/mdadams/jasper/commit/dee11ec440d7908d1daf69f40a3324b27cf213ba
- https://usn.ubuntu.com/3693-1/
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Published: 2017-03-23
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-9390
The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a crafted image file.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.5)Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94371
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396965
- https://github.com/mdadams/jasper/commit/ba2b9d000660313af7b692542afbd374c5685865
- https://usn.ubuntu.com/3693-1/
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94371
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396965
- https://github.com/mdadams/jasper/commit/ba2b9d000660313af7b692542afbd374c5685865
- https://usn.ubuntu.com/3693-1/
Published: 2017-03-23
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-9391
The jpc_bitstream_getbits function in jpc_bs.c in JasPer before 2.0.10 allows remote attackers to cause a denial of service (assertion failure) via a very large integer.
Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94371
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396967
- https://github.com/mdadams/jasper/commit/1e84674d95353c64e5c4c0e7232ae86fd6ea813b
- https://usn.ubuntu.com/3693-1/
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94371
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396967
- https://github.com/mdadams/jasper/commit/1e84674d95353c64e5c4c0e7232ae86fd6ea813b
- https://usn.ubuntu.com/3693-1/
Published: 2017-03-23
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-9392
The calcstepsizes function in jpc_dec.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a crafted file.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.5)Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94377
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396971
- https://github.com/mdadams/jasper/commit/f7038068550fba0e41e1d0c355787f1dcd5bf330
- https://usn.ubuntu.com/3693-1/
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94377
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396971
- https://github.com/mdadams/jasper/commit/f7038068550fba0e41e1d0c355787f1dcd5bf330
- https://usn.ubuntu.com/3693-1/
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Published: 2017-03-23
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-9394
The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a crafted file.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.5)Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94372
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396975
- https://github.com/mdadams/jasper/commit/f7038068550fba0e41e1d0c355787f1dcd5bf330
- https://usn.ubuntu.com/3693-1/
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94372
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396975
- https://github.com/mdadams/jasper/commit/f7038068550fba0e41e1d0c355787f1dcd5bf330
- https://usn.ubuntu.com/3693-1/
Published: 2017-03-23
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-9395
The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.25 allows remote attackers to cause a denial of service (assertion failure) via a crafted file.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.5)Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00009.html
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94376
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396977
- https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a
- http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00009.html
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94376
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396977
- https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a
Published: 2017-03-23
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-9397
The jpc_dequantize function in jpc_dec.c in JasPer 1.900.13 allows remote attackers to cause a denial of service (assertion failure) via unspecified vectors.
Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94373
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396979
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N4ALB4SXHURLVWKAOKYRNJXPABW3M22M/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPOVZTSIQPW2H4AFLMI3LHJEZGBVEQET/
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94373
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396979
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N4ALB4SXHURLVWKAOKYRNJXPABW3M22M/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPOVZTSIQPW2H4AFLMI3LHJEZGBVEQET/
Published: 2017-03-23
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-9398
The jpc_floorlog2 function in jpc_math.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via unspecified vectors.
Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00082.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00085.html
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94382
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396980
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N4ALB4SXHURLVWKAOKYRNJXPABW3M22M/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPOVZTSIQPW2H4AFLMI3LHJEZGBVEQET/
- http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00082.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00085.html
- http://www.openwall.com/lists/oss-security/2016/11/17/1
- http://www.securityfocus.com/bid/94382
- https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure
- https://bugzilla.redhat.com/show_bug.cgi?id=1396980
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N4ALB4SXHURLVWKAOKYRNJXPABW3M22M/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPOVZTSIQPW2H4AFLMI3LHJEZGBVEQET/
Published: 2017-03-23
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-9557
Integer overflow in jas_image.c in JasPer before 1.900.25 allows remote attackers to cause a denial of service (application crash) via a crafted file.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.5)Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- http://www.openwall.com/lists/oss-security/2016/11/23/2
- http://www.securityfocus.com/bid/94490
- https://blogs.gentoo.org/ago/2016/11/19/jasper-signed-integer-overflow-in-jas_image-c
- https://bugzilla.redhat.com/show_bug.cgi?id=1398251
- https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a
- http://www.openwall.com/lists/oss-security/2016/11/23/2
- http://www.securityfocus.com/bid/94490
- https://blogs.gentoo.org/ago/2016/11/19/jasper-signed-integer-overflow-in-jas_image-c
- https://bugzilla.redhat.com/show_bug.cgi?id=1398251
- https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a
Published: 2017-02-15
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-9560
Stack-based buffer overflow in the jpc_tsfb_getbands2 function in jpc_tsfb.c in JasPer before 1.900.30 allows remote attackers to have unspecified impact via a crafted image.
Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (7.8)Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- http://www.debian.org/security/2017/dsa-3785
- http://www.openwall.com/lists/oss-security/2016/11/20/1
- http://www.openwall.com/lists/oss-security/2016/11/23/5
- http://www.securityfocus.com/bid/94428
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/20/jasper-stack-based-buffer-overflow-in-jpc_tsfb_getbands2-jpc_tsfb-c/
- https://github.com/Hack-Me/Pocs_for_Multi_Versions/tree/main/CVE-2016-9560
- https://github.com/mdadams/jasper/commit/1abc2e5a401a4bf1d5ca4df91358ce5df111f495
- http://www.debian.org/security/2017/dsa-3785
- http://www.openwall.com/lists/oss-security/2016/11/20/1
- http://www.openwall.com/lists/oss-security/2016/11/23/5
- http://www.securityfocus.com/bid/94428
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/11/20/jasper-stack-based-buffer-overflow-in-jpc_tsfb_getbands2-jpc_tsfb-c/
- https://github.com/Hack-Me/Pocs_for_Multi_Versions/tree/main/CVE-2016-9560
- https://github.com/mdadams/jasper/commit/1abc2e5a401a4bf1d5ca4df91358ce5df111f495
Published: 2018-08-01
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2016-9583
An out-of-bounds heap read vulnerability was found in the jpc_pi_nextpcrl() function of jasper before 2.0.6 when processing crafted input.
Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (7.8)Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- http://www.securityfocus.com/bid/94925
- https://access.redhat.com/errata/RHSA-2017:1208
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9583
- https://github.com/mdadams/jasper/commit/aa0b0f79ade5eef8b0e7a214c03f5af54b36ba7d
- https://github.com/mdadams/jasper/commit/f25486c3d4aa472fec79150f2c41ed4333395d3d
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- http://www.securityfocus.com/bid/94925
- https://access.redhat.com/errata/RHSA-2017:1208
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9583
- https://github.com/mdadams/jasper/commit/aa0b0f79ade5eef8b0e7a214c03f5af54b36ba7d
- https://github.com/mdadams/jasper/commit/f25486c3d4aa472fec79150f2c41ed4333395d3d
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Published: 2018-03-09
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2016-9591
JasPer before version 2.0.12 is vulnerable to a use-after-free in the way it decodes certain JPEG 2000 image files resulting in a crash on the application using JasPer.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.5)Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- http://www.securityfocus.com/bid/94952
- https://access.redhat.com/errata/RHSA-2017:1208
- https://bugzilla.redhat.com/show_bug.cgi?id=1406405
- https://security.gentoo.org/glsa/201707-07
- https://www.debian.org/security/2017/dsa-3827
- http://www.securityfocus.com/bid/94952
- https://access.redhat.com/errata/RHSA-2017:1208
- https://bugzilla.redhat.com/show_bug.cgi?id=1406405
- https://security.gentoo.org/glsa/201707-07
- https://www.debian.org/security/2017/dsa-3827
Published: 2018-03-12
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2016-9600
JasPer before version 2.0.10 is vulnerable to a null pointer dereference was found in the decoded creation of JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: MEDIUM (6.5)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
Published: 2017-03-15
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2017-6850
The jp2_cdef_destroy function in jp2_cod.c in JasPer before 2.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted image.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.5)Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- https://blogs.gentoo.org/ago/2017/01/25/jasper-null-pointer-dereference-in-jp2_cdef_destroy-jp2_cod-c/
- https://github.com/mdadams/jasper/commit/e96fc4fdd525fa0ede28074a7e2b1caf94b58b0d
- https://github.com/mdadams/jasper/issues/112
- https://usn.ubuntu.com/3693-1/
- https://blogs.gentoo.org/ago/2017/01/25/jasper-null-pointer-dereference-in-jp2_cdef_destroy-jp2_cod-c/
- https://github.com/mdadams/jasper/commit/e96fc4fdd525fa0ede28074a7e2b1caf94b58b0d
- https://github.com/mdadams/jasper/issues/112
- https://usn.ubuntu.com/3693-1/
Published: 2017-03-15
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2017-6851
The jas_matrix_bindsub function in jas_seq.c in JasPer 2.0.10 allows remote attackers to cause a denial of service (invalid read) via a crafted image.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.5)Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- https://blogs.gentoo.org/ago/2017/01/25/jasper-invalid-memory-read-in-jas_matrix_bindsub-jas_seq-c/
- https://github.com/mdadams/jasper/issues/113
- https://security.gentoo.org/glsa/201908-03
- https://blogs.gentoo.org/ago/2017/01/25/jasper-invalid-memory-read-in-jas_matrix_bindsub-jas_seq-c/
- https://github.com/mdadams/jasper/issues/113
- https://security.gentoo.org/glsa/201908-03
Published: 2017-03-15
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2017-6852
Heap-based buffer overflow in the jpc_dec_decodepkt function in jpc_t2dec.c in JasPer 2.0.10 allows remote attackers to have unspecified impact via a crafted image.
Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (7.8)Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- https://blogs.gentoo.org/ago/2017/01/25/jasper-heap-based-buffer-overflow-in-jpc_dec_decodepkt-jpc_t2dec-c/
- https://github.com/mdadams/jasper/issues/114
- https://security.gentoo.org/glsa/201908-03
- https://blogs.gentoo.org/ago/2017/01/25/jasper-heap-based-buffer-overflow-in-jpc_dec_decodepkt-jpc_t2dec-c/
- https://github.com/mdadams/jasper/issues/114
- https://security.gentoo.org/glsa/201908-03