Operating System:

[Win][UNIX/Linux][Debian]

Published:

07 March 2016

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ESB-2016.0592 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0592
                          jasper security update
                               7 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           jasper
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-2116 CVE-2016-2089 CVE-2016-1577

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3508

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running jasper check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3508-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 06, 2016                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : jasper
CVE ID         : CVE-2016-1577 CVE-2016-2089 CVE-2016-2116
Debian Bug     : 812978 816625 816626

Several vulnerabilities were discovered in JasPer, a library for
manipulating JPEG-2000 files. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2016-1577

    Jacob Baines discovered a double-free flaw in the
    jas_iccattrval_destroy function. A remote attacker could exploit
    this flaw to cause an application using the JasPer library to crash,
    or potentially, to execute arbitrary code with the privileges of the
    user running the application.

CVE-2016-2089

    The Qihoo 360 Codesafe Team discovered a NULL pointer dereference
    flaw within the jas_matrix_clip function. A remote attacker could
    exploit this flaw to cause an application using the JasPer library
    to crash, resulting in a denial-of-service.

CVE-2016-2116

    Tyler Hicks discovered a memory leak flaw in the
    jas_iccprof_createfrombuf function. A remote attacker could exploit
    this flaw to cause the JasPer library to consume memory, resulting
    in a denial-of-service.

For the oldstable distribution (wheezy), these problems have been fixed
in version 1.900.1-13+deb7u4.

For the stable distribution (jessie), these problems have been fixed in
version 1.900.1-debian1-2.4+deb8u1.

We recommend that you upgrade your jasper packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJW3E20AAoJEAVMuPMTQ89ET6wP/1LssXItmqRgKdtx4cG+Qjmd
vmRnWzDHZvRVKtagSXVZ8C6LJwIutLnT0Zn2wmYZomH37qRJItGIFAYMLfPs6U5H
J0jLJyR8Uk+Vyw6SSCavdUNXaNtMZ1ANb0eG1LAXNIeG5QMrlaP/ww1oJ79qGOkq
90FEoLupFNK+NzpA47RMFDaPJya9jtBe5KbPf2E6B61Jc6Y1/cRhwMfbCyc7nwwc
pAF9oRPPItx4HkBP6b0rOlEBFAdvk8poe5s8B4ExD6eE566ZMs2y46Fwp6PoSAqS
mpErF6TnJbd0huQ6OG1w8Vp/ykMY2V8qvfwMAojliUEajB5giRcke39JJxsiTBsa
iEQNZlBj1+3JPkWP7+DuT0afcXyyMU6Gx7hJgUrVw222cMS2T684Ogk0g+0aokYR
CojLzr+sMuw5Yiwn5sriLR6kko/eLSN0SYV8d56EV3CWmH0U0RbT3zLjFICIh4zU
0xDhDokk6LbAYRipBLWfl569O5RN5yUFfEp24Ne2fhRmsVpxx+ZZPdF/WETj3rIl
fCNZDrJEk8TG/wIauLtBP1WifqP8zFdPCbzAfIonuSJnSndZerRzuMA4ukeBYf/f
acDNzr+7bWfVhs7U5wOI+31Le5gNve6eCRgYjoauLcZkffnsQvq5bdEWiWn5wctD
fXzp23lvqcANMwxMHXlb
=d6L+
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVtzOv36ZAP0PgtI9AQIuPQ//c8VHQgc3koVOidBJ7TLkiC/Reo7LGgG3
UCmAo2Stt1LjNtyw0sbA2roZ7dGqRFmbkizE9LtCPf0Dy5l5nzyzc/CnLITGnwGY
yP6s3US9fkuo52JN8S7duogIwqn6A/ac5DMrAe7Nj+Fa1VzQKlII5u1wiRl2cmjN
VdRNdi6bC+10uEPqHF3d2XZABz0L48HGXMTUD31XoMZ6qT6YMR6i23uQdHHtdZyv
aseaFYO/r9TOXj7acEMtkkapcuGL5FKx3tf9clAvPmF+8A/YQ/m8BCc1OZRRSqqO
ePGAxjHP+5l9o7zG5ViN/peylPsCrTqBuOzkCC1zehsSCV8pxU2OBF4As8EHivDM
s/hKPaO/lgI4DLfEBYCL0bl1xQWNClv7kkUtBVQmb+36mC9fMeCZo/Mnif/tx0AV
CwMZvqHBSDBo3gVGUhtdWwBK6Qn1QYuT0uXY+Rz1DXpsozr1Ol8yFmYwzBW/e44a
VZFZ0ITMpcJwuqhOAR/y4pxONg0ouCkefi1D4S44o91E9T1b4AFeZ8yCXDnpo8HF
z1Mg+VGVkJLgMGWlkuWvKQbe5u9OASAHw/ddXzy5pq9PErrKIU+jqGrzCLxKH9O0
rR96fJW7DTwDyVJYX3DiSvyvwiMYVjjY3IxM/t1UQyU6xlBZFuDp1efaMfX/15fc
58o5ZYHNfXg=
=h/md
-----END PGP SIGNATURE-----