SB2015012901 - Input validation error in jasper (Alpine package)
Published: January 29, 2015
Security Bulletin ID
SB2015012901
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Input validation error (CVE-ID: CVE-2014-9029)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple off-by-one errors in the (1) jpc_dec_cp_setfromcox and (2) jpc_dec_cp_setfromrgn functions in jpc/jpc_dec.c in JasPer 1.900.1 and earlier allow remote attackers to execute arbitrary code via a crafted jp2 file, which triggers a heap-based buffer overflow.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=9d20dfb4b70c35a10a26afd2ddfb7f487ee2eeb9
- https://git.alpinelinux.org/aports/commit/?id=5cb610fc7996f6d7ddcdffd54f62c2adc184be7a
- https://git.alpinelinux.org/aports/commit/?id=244e4d797e740c7fedf8e3e9df9d9d85859b11b4
- https://git.alpinelinux.org/aports/commit/?id=2b2d458b50da34ebb2659bbdcaecac89f7945dd6
- https://git.alpinelinux.org/aports/commit/?id=d7c2a3a234b34e3395c9530898107d27adede71a
- https://git.alpinelinux.org/aports/commit/?id=f6506740f77ee2eec5176756ba4dcd4d286dae1e
- https://git.alpinelinux.org/aports/commit/?id=a3c4e58af44e7b388f6821cda51ed825b35789cb
- https://git.alpinelinux.org/aports/commit/?id=a3c611fae92fca14cdae49707d4c798def7df413