Security update for jasper SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2279-1 Final 1 1 2019-10-07T14:20:59Z current 2019-10-07T14:20:59Z 2019-10-07T14:20:59Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for jasper This update for jasper fixes the following issues: Security issues fixed: - CVE-2018-19540: Fixed a heap based overflow in jas_icctxtdesc_input (bsc#1117508). - CVE-2018-19541: Fix heap based overread in jas_image_depalettize (bsc#1117507). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2279 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UJSNBFOOKYKU7PNNS3PPQY4XHQVUNWER/#UJSNBFOOKYKU7PNNS3PPQY4XHQVUNWER E-Mail link for openSUSE-SU-2019:2279-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1117507 SUSE Bug 1117507 https://bugzilla.suse.com/1117508 SUSE Bug 1117508 https://www.suse.com/security/cve/CVE-2018-19540/ SUSE CVE CVE-2018-19540 page https://www.suse.com/security/cve/CVE-2018-19541/ SUSE CVE CVE-2018-19541 page openSUSE Leap 15.0 jasper-2.0.14-lp150.2.6.1 libjasper-devel-2.0.14-lp150.2.6.1 libjasper4-2.0.14-lp150.2.6.1 libjasper4-32bit-2.0.14-lp150.2.6.1 jasper-2.0.14-lp150.2.6.1 as a component of openSUSE Leap 15.0 libjasper-devel-2.0.14-lp150.2.6.1 as a component of openSUSE Leap 15.0 libjasper4-2.0.14-lp150.2.6.1 as a component of openSUSE Leap 15.0 libjasper4-32bit-2.0.14-lp150.2.6.1 as a component of openSUSE Leap 15.0 An issue was discovered in JasPer 1.900.8, 1.900.9, 1.900.10, 1.900.11, 1.900.12, 1.900.13, 1.900.14, 1.900.15, 1.900.16, 1.900.17, 1.900.18, 1.900.19, 1.900.20, 1.900.21, 1.900.22, 1.900.23, 1.900.24, 1.900.25, 1.900.26, 1.900.27, 1.900.28, 1.900.29, 1.900.30, 1.900.31, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16. There is a heap-based buffer overflow of size 1 in the function jas_icctxtdesc_input in libjasper/base/jas_icc.c. CVE-2018-19540 openSUSE Leap 15.0:jasper-2.0.14-lp150.2.6.1 openSUSE Leap 15.0:libjasper-devel-2.0.14-lp150.2.6.1 openSUSE Leap 15.0:libjasper4-2.0.14-lp150.2.6.1 openSUSE Leap 15.0:libjasper4-32bit-2.0.14-lp150.2.6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UJSNBFOOKYKU7PNNS3PPQY4XHQVUNWER/#UJSNBFOOKYKU7PNNS3PPQY4XHQVUNWER https://www.suse.com/security/cve/CVE-2018-19540.html CVE-2018-19540 https://bugzilla.suse.com/1117508 SUSE Bug 1117508 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 An issue was discovered in JasPer 1.900.8, 1.900.9, 1.900.10, 1.900.11, 1.900.12, 1.900.13, 1.900.14, 1.900.15, 1.900.16, 1.900.17, 1.900.18, 1.900.19, 1.900.20, 1.900.21, 1.900.22, 1.900.23, 1.900.24, 1.900.25, 1.900.26, 1.900.27, 1.900.28, 1.900.29, 1.900.30, 1.900.31, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16. There is a heap-based buffer over-read of size 8 in the function jas_image_depalettize in libjasper/base/jas_image.c. CVE-2018-19541 openSUSE Leap 15.0:jasper-2.0.14-lp150.2.6.1 openSUSE Leap 15.0:libjasper-devel-2.0.14-lp150.2.6.1 openSUSE Leap 15.0:libjasper4-2.0.14-lp150.2.6.1 openSUSE Leap 15.0:libjasper4-32bit-2.0.14-lp150.2.6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UJSNBFOOKYKU7PNNS3PPQY4XHQVUNWER/#UJSNBFOOKYKU7PNNS3PPQY4XHQVUNWER https://www.suse.com/security/cve/CVE-2018-19541.html CVE-2018-19541 https://bugzilla.suse.com/1117507 SUSE Bug 1117507 https://bugzilla.suse.com/1119411 SUSE Bug 1119411 https://bugzilla.suse.com/1178702 SUSE Bug 1178702