Security update for jasper
Announcement ID: | SUSE-SU-2017:1916-1 |
---|---|
Rating: | moderate |
References: | |
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves nine vulnerabilities can now be installed.
Description:
This update for jasper fixes the following issues:
Security issues fixed: - CVE-2016-9262: Multiple integer overflows in the jas_realloc function in base/jas_malloc.c and mem_resize function in base/jas_stream.c allow remote attackers to cause a denial of service via a crafted image, which triggers use after free vulnerabilities. (bsc#1009994) - CVE-2016-9388: The ras_getcmap function in ras_dec.c allows remote attackers to cause a denial of service (assertion failure) via a crafted image file. (bsc#1010975) - CVE-2016-9389: The jpc_irct and jpc_iict functions in jpc_mct.c allow remote attackers to cause a denial of service (assertion failure). (bsc#1010968) - CVE-2016-9390: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a denial of service (assertion failure) via a crafted image file. (bsc#1010774) - CVE-2016-9391: The jpc_bitstream_getbits function in jpc_bs.c allows remote attackers to cause a denial of service (assertion failure) via a very large integer. (bsc#1010782) - CVE-2017-1000050: The jp2_encode function in jp2_enc.c allows remote attackers to cause a denial of service. (bsc#1047958)
CVEs already fixed with previous update: - CVE-2016-9392: The calcstepsizes function in jpc_dec.c allows remote attackers to cause a denial of service (assertion failure) via a crafted file. (bsc#1010757) - CVE-2016-9393: The jpc_pi_nextrpcl function in jpc_t2cod.c allows remote attackers to cause a denial of service (assertion failure) via a crafted file. (bsc#1010766) - CVE-2016-9394: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a denial of service (assertion failure) via a crafted file. (bsc#1010756)
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Desktop 12 SP2
zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-1191=1
-
SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-1191=1
-
SUSE Linux Enterprise Software Development Kit 12 12-SP2
zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-1191=1
-
SUSE Linux Enterprise High Performance Computing 12 SP2
zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-1191=1
-
SUSE Linux Enterprise Server 12 SP2
zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-1191=1
-
SUSE Linux Enterprise Server for SAP Applications 12 SP2
zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-1191=1
Package List:
-
SUSE Linux Enterprise Desktop 12 SP2 (x86_64)
- jasper-debugsource-1.900.14-195.3.1
- libjasper1-32bit-1.900.14-195.3.1
- jasper-debuginfo-1.900.14-195.3.1
- libjasper1-1.900.14-195.3.1
- libjasper1-debuginfo-32bit-1.900.14-195.3.1
- libjasper1-debuginfo-1.900.14-195.3.1
-
SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 (aarch64)
- jasper-debugsource-1.900.14-195.3.1
- libjasper1-1.900.14-195.3.1
- jasper-debuginfo-1.900.14-195.3.1
- libjasper1-debuginfo-1.900.14-195.3.1
-
SUSE Linux Enterprise Software Development Kit 12 12-SP2 (aarch64 ppc64le s390x x86_64)
- jasper-debugsource-1.900.14-195.3.1
- jasper-debuginfo-1.900.14-195.3.1
- libjasper-devel-1.900.14-195.3.1
-
SUSE Linux Enterprise High Performance Computing 12 SP2 (aarch64 x86_64)
- jasper-debugsource-1.900.14-195.3.1
- libjasper1-1.900.14-195.3.1
- jasper-debuginfo-1.900.14-195.3.1
- libjasper1-debuginfo-1.900.14-195.3.1
-
SUSE Linux Enterprise High Performance Computing 12 SP2 (x86_64)
- libjasper1-32bit-1.900.14-195.3.1
- libjasper1-debuginfo-32bit-1.900.14-195.3.1
-
SUSE Linux Enterprise Server 12 SP2 (aarch64 ppc64le s390x x86_64)
- jasper-debugsource-1.900.14-195.3.1
- libjasper1-1.900.14-195.3.1
- jasper-debuginfo-1.900.14-195.3.1
- libjasper1-debuginfo-1.900.14-195.3.1
-
SUSE Linux Enterprise Server 12 SP2 (s390x x86_64)
- libjasper1-32bit-1.900.14-195.3.1
- libjasper1-debuginfo-32bit-1.900.14-195.3.1
-
SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
- jasper-debugsource-1.900.14-195.3.1
- libjasper1-1.900.14-195.3.1
- jasper-debuginfo-1.900.14-195.3.1
- libjasper1-debuginfo-1.900.14-195.3.1
-
SUSE Linux Enterprise Server for SAP Applications 12 SP2 (x86_64)
- libjasper1-32bit-1.900.14-195.3.1
- libjasper1-debuginfo-32bit-1.900.14-195.3.1
References:
- https://www.suse.com/security/cve/CVE-2016-9262.html
- https://www.suse.com/security/cve/CVE-2016-9388.html
- https://www.suse.com/security/cve/CVE-2016-9389.html
- https://www.suse.com/security/cve/CVE-2016-9390.html
- https://www.suse.com/security/cve/CVE-2016-9391.html
- https://www.suse.com/security/cve/CVE-2016-9392.html
- https://www.suse.com/security/cve/CVE-2016-9393.html
- https://www.suse.com/security/cve/CVE-2016-9394.html
- https://www.suse.com/security/cve/CVE-2017-1000050.html
- https://bugzilla.suse.com/show_bug.cgi?id=1009994
- https://bugzilla.suse.com/show_bug.cgi?id=1010756
- https://bugzilla.suse.com/show_bug.cgi?id=1010757
- https://bugzilla.suse.com/show_bug.cgi?id=1010766
- https://bugzilla.suse.com/show_bug.cgi?id=1010774
- https://bugzilla.suse.com/show_bug.cgi?id=1010782
- https://bugzilla.suse.com/show_bug.cgi?id=1010968
- https://bugzilla.suse.com/show_bug.cgi?id=1010975
- https://bugzilla.suse.com/show_bug.cgi?id=1047958