Security update for jasper

Announcement ID:	SUSE-SU-2020:2689-1
Rating:	moderate
References:	bsc#1010979 bsc#1010980 bsc#1020451 bsc#1020456 bsc#1020458 bsc#1020460 bsc#1045450 bsc#1057152 bsc#1088278 bsc#1114498 bsc#1115637 bsc#1117328 bsc#1120805 bsc#1120807
Cross-References:	CVE-2016-9398 CVE-2016-9399 CVE-2017-14132 CVE-2017-5499 CVE-2017-5503 CVE-2017-5504 CVE-2017-5505 CVE-2017-9782 CVE-2018-18873 CVE-2018-19139 CVE-2018-19543 CVE-2018-20570 CVE-2018-20622 CVE-2018-9252
CVSS scores:	CVE-2016-9398 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-9398 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-9399 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2016-9399 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-9399 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-14132 ( SUSE ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-14132 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-5499 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-5503 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-5504 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-5505 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2017-9782 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-9782 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-18873 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-18873 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-18873 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-19139 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-19139 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-19543 ( SUSE ): 5.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2018-19543 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-20570 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2018-20570 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-20622 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2018-20622 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-9252 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-9252 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:	Basesystem Module 15-SP2 Basesystem Module 15-SP1 Desktop Applications Module 15-SP2 Desktop Applications Module 15-SP1 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Manager Proxy 4.0 SUSE Manager Proxy 4.1 SUSE Manager Retail Branch Server 4.0 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.0 SUSE Manager Server 4.1 SUSE Package Hub 15 15-SP1

An update that solves 14 vulnerabilities can now be installed.

Description:

This update for jasper fixes the following issues:

• CVE-2016-9398: Improved patch for already fixed issue (bsc#1010979).
• CVE-2016-9399: Fix assert in calcstepsizes (bsc#1010980).
• CVE-2017-5499: Validate component depth bit (bsc#1020451).
• CVE-2017-5503: Check bounds in jas_seq2d_bindsub() (bsc#1020456).
• CVE-2017-5504: Check bounds in jas_seq2d_bindsub() (bsc#1020458).
• CVE-2017-5505: Check bounds in jas_seq2d_bindsub() (bsc#1020460).
• CVE-2017-14132: Fix heap base overflow in by checking components (bsc#1057152).
• CVE-2018-9252: Fix reachable assertion in jpc_abstorelstepsize (bsc#1088278).
• CVE-2018-18873: Fix null pointer deref in ras_putdatastd (bsc#1114498).
• CVE-2018-19139: Fix mem leaks by registering jpc_unk_destroyparms (bsc#1115637).
• CVE-2018-19543, bsc#1045450 CVE-2017-9782: Fix numchans mixup (bsc#1117328).
• CVE-2018-20570: Fix heap based buffer over-read in jp2_encode (bsc#1120807).
• CVE-2018-20622: Fix memory leak in jas_malloc.c (bsc#1120805).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-2689=1
• Basesystem Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-2689=1
• Desktop Applications Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-2689=1
• Desktop Applications Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-2689=1
• SUSE Package Hub 15 15-SP1
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP1-2020-2689=1

Package List:

• Basesystem Module 15-SP1 (aarch64 ppc64le s390x x86_64)
  • libjasper4-2.0.14-3.16.1
  • jasper-debugsource-2.0.14-3.16.1
  • libjasper4-debuginfo-2.0.14-3.16.1
  • jasper-debuginfo-2.0.14-3.16.1
• Basesystem Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • libjasper4-2.0.14-3.16.1
  • jasper-debugsource-2.0.14-3.16.1
  • libjasper4-debuginfo-2.0.14-3.16.1
  • jasper-debuginfo-2.0.14-3.16.1
• Desktop Applications Module 15-SP1 (aarch64 ppc64le s390x x86_64)
  • libjasper-devel-2.0.14-3.16.1
  • jasper-debugsource-2.0.14-3.16.1
  • jasper-debuginfo-2.0.14-3.16.1
• Desktop Applications Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • libjasper-devel-2.0.14-3.16.1
  • jasper-debugsource-2.0.14-3.16.1
  • jasper-debuginfo-2.0.14-3.16.1
• SUSE Package Hub 15 15-SP1 (aarch64 ppc64le s390x x86_64)
  • jasper-debugsource-2.0.14-3.16.1
  • jasper-debuginfo-2.0.14-3.16.1
  • jasper-2.0.14-3.16.1

References:

• https://www.suse.com/security/cve/CVE-2016-9398.html
• https://www.suse.com/security/cve/CVE-2016-9399.html
• https://www.suse.com/security/cve/CVE-2017-14132.html
• https://www.suse.com/security/cve/CVE-2017-5499.html
• https://www.suse.com/security/cve/CVE-2017-5503.html
• https://www.suse.com/security/cve/CVE-2017-5504.html
• https://www.suse.com/security/cve/CVE-2017-5505.html
• https://www.suse.com/security/cve/CVE-2017-9782.html
• https://www.suse.com/security/cve/CVE-2018-18873.html
• https://www.suse.com/security/cve/CVE-2018-19139.html
• https://www.suse.com/security/cve/CVE-2018-19543.html
• https://www.suse.com/security/cve/CVE-2018-20570.html
• https://www.suse.com/security/cve/CVE-2018-20622.html
• https://www.suse.com/security/cve/CVE-2018-9252.html
• https://bugzilla.suse.com/show_bug.cgi?id=1010979
• https://bugzilla.suse.com/show_bug.cgi?id=1010980
• https://bugzilla.suse.com/show_bug.cgi?id=1020451
• https://bugzilla.suse.com/show_bug.cgi?id=1020456
• https://bugzilla.suse.com/show_bug.cgi?id=1020458
• https://bugzilla.suse.com/show_bug.cgi?id=1020460
• https://bugzilla.suse.com/show_bug.cgi?id=1045450
• https://bugzilla.suse.com/show_bug.cgi?id=1057152
• https://bugzilla.suse.com/show_bug.cgi?id=1088278
• https://bugzilla.suse.com/show_bug.cgi?id=1114498
• https://bugzilla.suse.com/show_bug.cgi?id=1115637
• https://bugzilla.suse.com/show_bug.cgi?id=1117328
• https://bugzilla.suse.com/show_bug.cgi?id=1120805
• https://bugzilla.suse.com/show_bug.cgi?id=1120807