Security update for jasper SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0303-1 Final 1 1 2021-02-18T06:52:10Z current 2021-02-18T06:52:10Z 2021-02-18T06:52:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for jasper This update for jasper fixes the following issues: - bsc#1179748 CVE-2020-27828: Fix heap overflow by checking maxrlvls - bsc#1181483 CVE-2021-3272: Fix buffer over-read in jp2_decode This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-303 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I6ZF7VRY24X2GVC7MCP6MQKQBRKCSJ2A/ E-Mail link for openSUSE-SU-2021:0303-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1179748 SUSE Bug 1179748 https://bugzilla.suse.com/1181483 SUSE Bug 1181483 https://www.suse.com/security/cve/CVE-2020-27828/ SUSE CVE CVE-2020-27828 page https://www.suse.com/security/cve/CVE-2021-3272/ SUSE CVE CVE-2021-3272 page openSUSE Leap 15.2 jasper-2.0.14-lp152.7.6.1 libjasper-devel-2.0.14-lp152.7.6.1 libjasper4-2.0.14-lp152.7.6.1 libjasper4-32bit-2.0.14-lp152.7.6.1 jasper-2.0.14-lp152.7.6.1 as a component of openSUSE Leap 15.2 libjasper-devel-2.0.14-lp152.7.6.1 as a component of openSUSE Leap 15.2 libjasper4-2.0.14-lp152.7.6.1 as a component of openSUSE Leap 15.2 libjasper4-32bit-2.0.14-lp152.7.6.1 as a component of openSUSE Leap 15.2 There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability. CVE-2020-27828 openSUSE Leap 15.2:jasper-2.0.14-lp152.7.6.1 openSUSE Leap 15.2:libjasper-devel-2.0.14-lp152.7.6.1 openSUSE Leap 15.2:libjasper4-2.0.14-lp152.7.6.1 openSUSE Leap 15.2:libjasper4-32bit-2.0.14-lp152.7.6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I6ZF7VRY24X2GVC7MCP6MQKQBRKCSJ2A/ https://www.suse.com/security/cve/CVE-2020-27828.html CVE-2020-27828 https://bugzilla.suse.com/1179748 SUSE Bug 1179748 jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components. CVE-2021-3272 openSUSE Leap 15.2:jasper-2.0.14-lp152.7.6.1 openSUSE Leap 15.2:libjasper-devel-2.0.14-lp152.7.6.1 openSUSE Leap 15.2:libjasper4-2.0.14-lp152.7.6.1 openSUSE Leap 15.2:libjasper4-32bit-2.0.14-lp152.7.6.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I6ZF7VRY24X2GVC7MCP6MQKQBRKCSJ2A/ https://www.suse.com/security/cve/CVE-2021-3272.html CVE-2021-3272 https://bugzilla.suse.com/1181483 SUSE Bug 1181483