Security update for jasper SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1517-1 Final 1 1 2020-09-24T12:21:31Z current 2020-09-24T12:21:31Z 2020-09-24T12:21:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for jasper This update for jasper fixes the following issues: - CVE-2016-9398: Improved patch for already fixed issue (bsc#1010979). - CVE-2016-9399: Fix assert in calcstepsizes (bsc#1010980). - CVE-2017-5499: Validate component depth bit (bsc#1020451). - CVE-2017-5503: Check bounds in jas_seq2d_bindsub() (bsc#1020456). - CVE-2017-5504: Check bounds in jas_seq2d_bindsub() (bsc#1020458). - CVE-2017-5505: Check bounds in jas_seq2d_bindsub() (bsc#1020460). - CVE-2017-14132: Fix heap base overflow in by checking components (bsc#1057152). - CVE-2018-9252: Fix reachable assertion in jpc_abstorelstepsize (bsc#1088278). - CVE-2018-18873: Fix null pointer deref in ras_putdatastd (bsc#1114498). - CVE-2018-19139: Fix mem leaks by registering jpc_unk_destroyparms (bsc#1115637). - CVE-2018-19543, bsc#1045450 CVE-2017-9782: Fix numchans mixup (bsc#1117328). - CVE-2018-20570: Fix heap based buffer over-read in jp2_encode (bsc#1120807). - CVE-2018-20622: Fix memory leak in jas_malloc.c (bsc#1120805). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1517 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZNYUBLSX2ZSBGFVNDEMDDHDZ2UPLCJR2/ E-Mail link for openSUSE-SU-2020:1517-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1010979 SUSE Bug 1010979 https://bugzilla.suse.com/1010980 SUSE Bug 1010980 https://bugzilla.suse.com/1020451 SUSE Bug 1020451 https://bugzilla.suse.com/1020456 SUSE Bug 1020456 https://bugzilla.suse.com/1020458 SUSE Bug 1020458 https://bugzilla.suse.com/1020460 SUSE Bug 1020460 https://bugzilla.suse.com/1045450 SUSE Bug 1045450 https://bugzilla.suse.com/1057152 SUSE Bug 1057152 https://bugzilla.suse.com/1088278 SUSE Bug 1088278 https://bugzilla.suse.com/1114498 SUSE Bug 1114498 https://bugzilla.suse.com/1115637 SUSE Bug 1115637 https://bugzilla.suse.com/1117328 SUSE Bug 1117328 https://bugzilla.suse.com/1120805 SUSE Bug 1120805 https://bugzilla.suse.com/1120807 SUSE Bug 1120807 https://www.suse.com/security/cve/CVE-2016-9398/ SUSE CVE CVE-2016-9398 page https://www.suse.com/security/cve/CVE-2016-9399/ SUSE CVE CVE-2016-9399 page https://www.suse.com/security/cve/CVE-2017-14132/ SUSE CVE CVE-2017-14132 page https://www.suse.com/security/cve/CVE-2017-5499/ SUSE CVE CVE-2017-5499 page https://www.suse.com/security/cve/CVE-2017-5503/ SUSE CVE CVE-2017-5503 page https://www.suse.com/security/cve/CVE-2017-5504/ SUSE CVE CVE-2017-5504 page https://www.suse.com/security/cve/CVE-2017-5505/ SUSE CVE CVE-2017-5505 page https://www.suse.com/security/cve/CVE-2017-9782/ SUSE CVE CVE-2017-9782 page https://www.suse.com/security/cve/CVE-2018-18873/ SUSE CVE CVE-2018-18873 page https://www.suse.com/security/cve/CVE-2018-19139/ SUSE CVE CVE-2018-19139 page https://www.suse.com/security/cve/CVE-2018-19543/ SUSE CVE CVE-2018-19543 page https://www.suse.com/security/cve/CVE-2018-20570/ SUSE CVE CVE-2018-20570 page https://www.suse.com/security/cve/CVE-2018-20622/ SUSE CVE CVE-2018-20622 page https://www.suse.com/security/cve/CVE-2018-9252/ SUSE CVE CVE-2018-9252 page openSUSE Leap 15.1 jasper-2.0.14-lp151.4.9.1 libjasper-devel-2.0.14-lp151.4.9.1 libjasper4-2.0.14-lp151.4.9.1 libjasper4-32bit-2.0.14-lp151.4.9.1 jasper-2.0.14-lp151.4.9.1 as a component of openSUSE Leap 15.1 libjasper-devel-2.0.14-lp151.4.9.1 as a component of openSUSE Leap 15.1 libjasper4-2.0.14-lp151.4.9.1 as a component of openSUSE Leap 15.1 libjasper4-32bit-2.0.14-lp151.4.9.1 as a component of openSUSE Leap 15.1 The jpc_floorlog2 function in jpc_math.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via unspecified vectors. CVE-2016-9398 openSUSE Leap 15.1:jasper-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper-devel-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-32bit-2.0.14-lp151.4.9.1 moderate 1.5 AV:L/AC:M/Au:S/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZNYUBLSX2ZSBGFVNDEMDDHDZ2UPLCJR2/ https://www.suse.com/security/cve/CVE-2016-9398.html CVE-2016-9398 https://bugzilla.suse.com/1010979 SUSE Bug 1010979 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The calcstepsizes function in jpc_dec.c in JasPer 1.900.22 allows remote attackers to cause a denial of service (assertion failure) via unspecified vectors. CVE-2016-9399 openSUSE Leap 15.1:jasper-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper-devel-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-32bit-2.0.14-lp151.4.9.1 moderate 1.5 AV:L/AC:M/Au:S/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZNYUBLSX2ZSBGFVNDEMDDHDZ2UPLCJR2/ https://www.suse.com/security/cve/CVE-2016-9399.html CVE-2016-9399 https://bugzilla.suse.com/1010980 SUSE Bug 1010980 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 JasPer 1.900.8, 1.900.9, 1.900.10, 1.900.11, 1.900.12, 1.900.13, 1.900.14, 1.900.15, 1.900.16, 1.900.17, 1.900.18, 1.900.19, 1.900.20, 1.900.21, 1.900.22, 1.900.23, 1.900.24, 1.900.25, 1.900.26, 1.900.27, 1.900.28, 1.900.29, 1.900.30, 1.900.31, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted image, related to the jas_image_ishomosamp function in libjasper/base/jas_image.c. CVE-2017-14132 openSUSE Leap 15.1:jasper-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper-devel-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-32bit-2.0.14-lp151.4.9.1 low 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZNYUBLSX2ZSBGFVNDEMDDHDZ2UPLCJR2/ https://www.suse.com/security/cve/CVE-2017-14132.html CVE-2017-14132 https://bugzilla.suse.com/1057152 SUSE Bug 1057152 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 Integer overflow in libjasper/jpc/jpc_dec.c in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via a crafted file. CVE-2017-5499 openSUSE Leap 15.1:jasper-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper-devel-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-32bit-2.0.14-lp151.4.9.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZNYUBLSX2ZSBGFVNDEMDDHDZ2UPLCJR2/ https://www.suse.com/security/cve/CVE-2017-5499.html CVE-2017-5499 https://bugzilla.suse.com/1020451 SUSE Bug 1020451 https://bugzilla.suse.com/1020456 SUSE Bug 1020456 https://bugzilla.suse.com/1020460 SUSE Bug 1020460 https://bugzilla.suse.com/1115637 SUSE Bug 1115637 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The dec_clnpass function in libjasper/jpc/jpc_t1dec.c in JasPer 1.900.27 allows remote attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via a crafted image. CVE-2017-5503 openSUSE Leap 15.1:jasper-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper-devel-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-32bit-2.0.14-lp151.4.9.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZNYUBLSX2ZSBGFVNDEMDDHDZ2UPLCJR2/ https://www.suse.com/security/cve/CVE-2017-5503.html CVE-2017-5503 https://bugzilla.suse.com/1020456 SUSE Bug 1020456 https://bugzilla.suse.com/1020458 SUSE Bug 1020458 https://bugzilla.suse.com/1020460 SUSE Bug 1020460 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The jpc_undo_roi function in libjasper/jpc/jpc_dec.c in JasPer 1.900.27 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted image. CVE-2017-5504 openSUSE Leap 15.1:jasper-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper-devel-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-32bit-2.0.14-lp151.4.9.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZNYUBLSX2ZSBGFVNDEMDDHDZ2UPLCJR2/ https://www.suse.com/security/cve/CVE-2017-5504.html CVE-2017-5504 https://bugzilla.suse.com/1020456 SUSE Bug 1020456 https://bugzilla.suse.com/1020458 SUSE Bug 1020458 https://bugzilla.suse.com/1020460 SUSE Bug 1020460 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 The jas_matrix_asl function in jas_seq.c in JasPer 1.900.27 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted image. CVE-2017-5505 openSUSE Leap 15.1:jasper-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper-devel-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-32bit-2.0.14-lp151.4.9.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZNYUBLSX2ZSBGFVNDEMDDHDZ2UPLCJR2/ https://www.suse.com/security/cve/CVE-2017-5505.html CVE-2017-5505 https://bugzilla.suse.com/1020456 SUSE Bug 1020456 https://bugzilla.suse.com/1020458 SUSE Bug 1020458 https://bugzilla.suse.com/1020460 SUSE Bug 1020460 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 JasPer 2.0.12 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted image, related to the jp2_decode function in libjasper/jp2/jp2_dec.c. CVE-2017-9782 openSUSE Leap 15.1:jasper-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper-devel-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-32bit-2.0.14-lp151.4.9.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZNYUBLSX2ZSBGFVNDEMDDHDZ2UPLCJR2/ https://www.suse.com/security/cve/CVE-2017-9782.html CVE-2017-9782 https://bugzilla.suse.com/1045450 SUSE Bug 1045450 https://bugzilla.suse.com/1117328 SUSE Bug 1117328 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 An issue was discovered in JasPer 2.0.14. There is a NULL pointer dereference in the function ras_putdatastd in ras/ras_enc.c. CVE-2018-18873 openSUSE Leap 15.1:jasper-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper-devel-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-32bit-2.0.14-lp151.4.9.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZNYUBLSX2ZSBGFVNDEMDDHDZ2UPLCJR2/ https://www.suse.com/security/cve/CVE-2018-18873.html CVE-2018-18873 https://bugzilla.suse.com/1114495 SUSE Bug 1114495 https://bugzilla.suse.com/1114498 SUSE Bug 1114498 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 An issue has been found in JasPer 2.0.14. There is a memory leak in jas_malloc.c when called from jpc_unk_getparms in jpc_cs.c. CVE-2018-19139 openSUSE Leap 15.1:jasper-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper-devel-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-32bit-2.0.14-lp151.4.9.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZNYUBLSX2ZSBGFVNDEMDDHDZ2UPLCJR2/ https://www.suse.com/security/cve/CVE-2018-19139.html CVE-2018-19139 https://bugzilla.suse.com/1115637 SUSE Bug 1115637 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 An issue was discovered in JasPer 2.0.14. There is a heap-based buffer over-read of size 8 in the function jp2_decode in libjasper/jp2/jp2_dec.c. CVE-2018-19543 openSUSE Leap 15.1:jasper-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper-devel-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-32bit-2.0.14-lp151.4.9.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZNYUBLSX2ZSBGFVNDEMDDHDZ2UPLCJR2/ https://www.suse.com/security/cve/CVE-2018-19543.html CVE-2018-19543 https://bugzilla.suse.com/1045450 SUSE Bug 1045450 https://bugzilla.suse.com/1117328 SUSE Bug 1117328 https://bugzilla.suse.com/1117507 SUSE Bug 1117507 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 jp2_encode in jp2/jp2_enc.c in JasPer 2.0.14 has a heap-based buffer over-read. CVE-2018-20570 openSUSE Leap 15.1:jasper-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper-devel-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-32bit-2.0.14-lp151.4.9.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZNYUBLSX2ZSBGFVNDEMDDHDZ2UPLCJR2/ https://www.suse.com/security/cve/CVE-2018-20570.html CVE-2018-20570 https://bugzilla.suse.com/1120807 SUSE Bug 1120807 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 JasPer 2.0.14 has a memory leak in base/jas_malloc.c in libjasper.a when "--output-format jp2" is used. CVE-2018-20622 openSUSE Leap 15.1:jasper-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper-devel-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-32bit-2.0.14-lp151.4.9.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZNYUBLSX2ZSBGFVNDEMDDHDZ2UPLCJR2/ https://www.suse.com/security/cve/CVE-2018-20622.html CVE-2018-20622 https://bugzilla.suse.com/1115637 SUSE Bug 1115637 https://bugzilla.suse.com/1120805 SUSE Bug 1120805 https://bugzilla.suse.com/1178702 SUSE Bug 1178702 JasPer 2.0.14 allows denial of service via a reachable assertion in the function jpc_abstorelstepsize in libjasper/jpc/jpc_enc.c. CVE-2018-9252 openSUSE Leap 15.1:jasper-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper-devel-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-2.0.14-lp151.4.9.1 openSUSE Leap 15.1:libjasper4-32bit-2.0.14-lp151.4.9.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZNYUBLSX2ZSBGFVNDEMDDHDZ2UPLCJR2/ https://www.suse.com/security/cve/CVE-2018-9252.html CVE-2018-9252 https://bugzilla.suse.com/1088278 SUSE Bug 1088278 https://bugzilla.suse.com/1178702 SUSE Bug 1178702