[arch-security] [ASA-201412-22] jasper: arbitrary code execution

Levente Polyak anthraxx at archlinux.org
Fri Dec 19 04:16:19 UTC 2014


Arch Linux Security Advisory ASA-201412-22
==========================================

Severity: Critical
Date    : 2014-12-19
CVE-ID  : jasper
Package : CVE-2014-8137 CVE-2014-9029 CVE-2011-4516 CVE-2011-4517
Type    : arbitrary code execution, denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE-2014

Summary
=======

The package jasper before version 1.900.1-12 is vulnerable to arbitrary
code execution and denial of service.

Resolution
==========

Upgrade to 1.900.1-12.

# pacman -Syu "jasper>=1.900.1-12"

The problems have not been fixed upstream but patches were added.

Workaround
==========

None.

Description
===========

- CVE-2014-8137 (arbitrary code execution)
A double free flaw was found in the way JasPer parsed ICC color profiles
in JPEG 2000 image files. A specially crafted file could cause an
application using JasPer to crash or, possibly, execute arbitrary code.

- CVE-2014-9029 (arbitrary code execution)
Multiple off-by-one errors in the (1) jpc_dec_cp_setfromcox and (2)
jpc_dec_cp_setfromrgn functions in jpc/jpc_dec.c in JasPer 1.900.1 and
earlier allow remote attackers to execute arbitrary code via a crafted
jp2 file, which triggers a heap-based buffer overflow.

- CVE-2011-4516 (arbitrary code execution)
Heap-based buffer overflow in the jpc_cox_getcompparms function in
libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to
execute arbitrary code or cause a denial of service (memory corruption)
via a crafted numrlvls value in a coding style default (COD) marker
segment in a JPEG2000 file.

- CVE-2011-4517 (arbitrary code execution)
The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer
1.900.1 uses an incorrect data type during a certain size calculation,
which allows remote attackers to trigger a heap-based buffer overflow
and execute arbitrary code, or cause a denial of service (heap memory
corruption), via a crafted component registration (CRG) marker segment
in a JPEG2000 file.

Impact
======

An attacker is able to execute arbitrary code or perform a denial of
service attack via various vulnerabilities.

References
==========

https://marc.info/?l=oss-security&m=141770163916268&w=2
https://marc.info/?l=oss-security&m=141891163026757&w=2
https://access.redhat.com/security/cve/CVE-2014-8137
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9029
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4516
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4517
https://bugs.archlinux.org/task/43044
https://bugs.archlinux.org/task/43155

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141219/ab9fde29/attachment.bin>


More information about the arch-security mailing list