Lucene search

K

Gentoo FoundationGLSA-200812-18

HistoryDec 16, 2008 - 12:00 a.m.

JasPer: User-assisted execution of arbitrary code

2008-12-1600:00:00

Gentoo Foundation

security.gentoo.org

15

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.009 Low

EPSS

Percentile

82.9%

Background

The JasPer Project is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 (jpeg2k) standard.

Description

Marc Espie and Christian Weisgerber have discovered multiple vulnerabilities in JasPer:

Multiple integer overflows might allow for insufficient memory allocation, leading to heap-based buffer overflows (CVE-2008-3520).
The jas_stream_printf() function in libjasper/base/jas_stream.c uses vsprintf() to write user-provided data to a static to a buffer, leading to an overflow (CVE-2008-3522).

Impact

Remote attackers could entice a user or automated system to process specially crafted jpeg2k files with an application using JasPer, possibly leading to the execution of arbitrary code.

Workaround

There is no known workaround at this time.

Resolution

All JasPer users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=media-libs/jasper-1.900.1-r3"

OSVersionArchitecturePackageVersionFilename
Gentooanyallmedia-libs/jasper< 1.900.1-r3UNKNOWN

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.009 Low

EPSS

Percentile

82.9%

Related for GLSA-200812-18

openvas42 fedora2 nessus26 securityvulns4 ubuntu2 freebsd1 cve3 ubuntucve3 cvelist2 debiancve2 nvd3 prion3 veracode1 oraclelinux1 redhat2 centos1 slackware1 debian1 osv1