SB2019050302 - OpenSUSE Linux update for jasper
Published: May 3, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Reachable Assertion (CVE-ID: CVE-2016-9396)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a remote attacker to perform a denial of service (DoS) attacks.
The vulnerability exists due to reachable assertion in JPC_NOMINALGAIN function in jpc/jpc_t1cod.c in JasPer through 2.0.12. A remote attacker can perform a denial of service (DoS) attack via unspecified vectors.
2) Resource management error (CVE-ID: CVE-2018-19539)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to access violation error within the jas_image_readcmpt() function in libjasper/base/jas_image.c. A remote attacker can create a specially crafted image, pass it to the application and trigger denial of service conditions.
3) NULL pointer dereference (CVE-ID: CVE-2018-19542)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dreference error in jp2_decode() function in libjasper/jp2/jp2_dec.c. A remote attacker can create a specially crafted image. pass it to hhe application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.