[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [ MDVSA-2009:142 ] jasper



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:142
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : jasper
 Date    : June 26, 2009
 Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 Multiple security vulnerabilities has been identified and fixed
 in jasper:
 
 The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer
 JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted
 attackers to cause a denial of service (crash) and possibly corrupt
 the heap via malformed image files, as originally demonstrated using
 imagemagick convert (CVE-2007-2721).
 
 Multiple integer overflows in JasPer 1.900.1 might allow
 context-dependent attackers to have an unknown impact via a crafted
 image file, related to integer multiplication for memory allocation
 (CVE-2008-3520).
 
 The jas_stream_tmpfile function in libjasper/base/jas_stream.c in
 JasPer 1.900.1 allows local users to overwrite arbitrary files via
 a symlink attack on a tmp.XXXXXXXXXX temporary file (CVE-2008-3521).
 
 Buffer overflow in the jas_stream_printf function in
 libjasper/base/jas_stream.c in JasPer 1.900.1 might allow
 context-dependent attackers to have an unknown impact via
 vectors related to the mif_hdr_put function and use of vsprintf
 (CVE-2008-3522).
 
 The updated packages have been patched to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2721
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3521
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 b415b975e60c3e47af3b67c21f89fde9  
2008.1/i586/jasper-1.900.1-3.1mdv2008.1.i586.rpm
 525a4213baf56dee4733976ebbf916af  
2008.1/i586/libjasper1-1.900.1-3.1mdv2008.1.i586.rpm
 eda31571a90149b4bebdc976b5e04406  
2008.1/i586/libjasper1-devel-1.900.1-3.1mdv2008.1.i586.rpm
 b974e8d5ef8992aec3b1031de47ac9f4  
2008.1/i586/libjasper1-static-devel-1.900.1-3.1mdv2008.1.i586.rpm 
 01b1f3bcf707d3296f41a736c5bdc7ed  
2008.1/SRPMS/jasper-1.900.1-3.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 5322cd4a5498e9e9a92777738d4aef90  
2008.1/x86_64/jasper-1.900.1-3.1mdv2008.1.x86_64.rpm
 f7f0188142c7890148a643218016b809  
2008.1/x86_64/lib64jasper1-1.900.1-3.1mdv2008.1.x86_64.rpm
 d11f1b52a11db1516ecf51fa2d863238  
2008.1/x86_64/lib64jasper1-devel-1.900.1-3.1mdv2008.1.x86_64.rpm
 7bf348d780f0392a2256fec32e1136f4  
2008.1/x86_64/lib64jasper1-static-devel-1.900.1-3.1mdv2008.1.x86_64.rpm 
 01b1f3bcf707d3296f41a736c5bdc7ed  
2008.1/SRPMS/jasper-1.900.1-3.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 89674fae78d1e53361413798c598e53a  
2009.0/i586/jasper-1.900.1-4.1mdv2009.0.i586.rpm
 244e0d289c1ed9223d04d37cce6ac30c  
2009.0/i586/libjasper1-1.900.1-4.1mdv2009.0.i586.rpm
 adfbe8cbdcf16177a9894753a36ac04d  
2009.0/i586/libjasper1-devel-1.900.1-4.1mdv2009.0.i586.rpm
 98d7a08e49d6b0b9c3b3ac45ee31fab2  
2009.0/i586/libjasper1-static-devel-1.900.1-4.1mdv2009.0.i586.rpm 
 107b936e8361e9778077500205582db1  
2009.0/SRPMS/jasper-1.900.1-4.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 e48536726ba6c83c14fc4a3533c1aa72  
2009.0/x86_64/jasper-1.900.1-4.1mdv2009.0.x86_64.rpm
 9e756d8c55f33a7a58955c2c556e8b53  
2009.0/x86_64/lib64jasper1-1.900.1-4.1mdv2009.0.x86_64.rpm
 a3a6ea3a8943d07096bdf2b6bffa905f  
2009.0/x86_64/lib64jasper1-devel-1.900.1-4.1mdv2009.0.x86_64.rpm
 9035b3ca72439aaadc0d0354ccb7d094  
2009.0/x86_64/lib64jasper1-static-devel-1.900.1-4.1mdv2009.0.x86_64.rpm 
 107b936e8361e9778077500205582db1  
2009.0/SRPMS/jasper-1.900.1-4.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 b11ffbb67ab917d95b23e3d71098da4d  
2009.1/i586/jasper-1.900.1-5.1mdv2009.1.i586.rpm
 0403d7db1343380b23c87845ad89539c  
2009.1/i586/libjasper1-1.900.1-5.1mdv2009.1.i586.rpm
 22cd4305bca44bbc47cb42e115514b7f  
2009.1/i586/libjasper-devel-1.900.1-5.1mdv2009.1.i586.rpm
 9e34a3304b35363853a3c733a87b03fb  
2009.1/i586/libjasper-static-devel-1.900.1-5.1mdv2009.1.i586.rpm 
 ba5e1fd525c267b49e3e5241a922185a  
2009.1/SRPMS/jasper-1.900.1-5.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 b4c00f01c5df8638bb4d76c44e4c88cc  
2009.1/x86_64/jasper-1.900.1-5.1mdv2009.1.x86_64.rpm
 b4aefde111aba037a6738ccdd509f061  
2009.1/x86_64/lib64jasper1-1.900.1-5.1mdv2009.1.x86_64.rpm
 e3a1dda206b8a383b0da6794198a2e02  
2009.1/x86_64/lib64jasper-devel-1.900.1-5.1mdv2009.1.x86_64.rpm
 a66c98b93ebd2caca3ce4bb321e092b7  
2009.1/x86_64/lib64jasper-static-devel-1.900.1-5.1mdv2009.1.x86_64.rpm 
 ba5e1fd525c267b49e3e5241a922185a  
2009.1/SRPMS/jasper-1.900.1-5.1mdv2009.1.src.rpm

 Corporate 4.0:
 390256d639cfbc0f15bf6895b3b18450  
corporate/4.0/i586/jasper-1.701.0-3.1.20060mlcs4.i586.rpm
 44915a643d07e967fca1912bca97a03b  
corporate/4.0/i586/libjasper1.701_1-1.701.0-3.1.20060mlcs4.i586.rpm
 5f4c0ecd6f5f5a7585b1e13f245a86d0  
corporate/4.0/i586/libjasper1.701_1-devel-1.701.0-3.1.20060mlcs4.i586.rpm
 374d797c523577b4b1839cdc52fe5664  
corporate/4.0/i586/libjasper1.701_1-static-devel-1.701.0-3.1.20060mlcs4.i586.rpm
 
 34a9fdad21246f55d452de585dd2bf95  
corporate/4.0/SRPMS/jasper-1.701.0-3.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 ba555966cb3df0218a682788d734a4b8  
corporate/4.0/x86_64/jasper-1.701.0-3.1.20060mlcs4.x86_64.rpm
 82405a393d7454a0da522d4b9cd5bd22  
corporate/4.0/x86_64/lib64jasper1.701_1-1.701.0-3.1.20060mlcs4.x86_64.rpm
 5443fe74af531fb8786de9d79f989433  
corporate/4.0/x86_64/lib64jasper1.701_1-devel-1.701.0-3.1.20060mlcs4.x86_64.rpm
 331aea54055a12468e48bcac1604b4c5  
corporate/4.0/x86_64/lib64jasper1.701_1-static-devel-1.701.0-3.1.20060mlcs4.x86_64.rpm
 
 34a9fdad21246f55d452de585dd2bf95  
corporate/4.0/SRPMS/jasper-1.701.0-3.1.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKRRjKmqjQ0CJFipgRAv9VAKCsQ/vsjSv5D4Kd3zRGitSJzwJflwCfbFIF
UVglFwewEnLqlZH4+9FCP2E=
=7zQK
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/