Package: libjasper1 Version: 1.900.1-13+deb7u2 Severity: grave Tags: security upstream Justification: user security hole
From: http://www.ocert.org/advisories/ocert-2015-001.html The library is affected by an off-by-one error in a buffer boundary check in jpc_dec_process_sot(), leading to a heap based buffer overflow, as well as multiple unrestricted stack memory use issues in jpc_qmfb.c, leading to stack overflow. A specially crafted jp2 file can be used to trigger the vulnerabilities. -- System Information: Debian Release: 7.8 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libjasper1 depends on: ii libc6 2.13-38+deb7u6 ii libjpeg8 8d-1+deb7u1 ii multiarch-support 2.13-38+deb7u6 libjasper1 recommends no packages. Versions of packages libjasper1 suggests: pn libjasper-runtime <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
