CVE-2008-3520

Name	CVE-2008-3520
Description	Multiple integer overflows in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via a crafted image file, related to integer multiplication for memory allocation.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	501021, 559778, 561717

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ghostscript (PTS)	jessie, jessie (lts)	9.26a~dfsg-0+deb8u12	fixed
	stretch (security)	9.26a~dfsg-0+deb9u9	fixed
	stretch (lts), stretch	9.26a~dfsg-0+deb9u12	fixed
	buster (security), buster, buster (lts)	9.27~dfsg-2+deb10u9	fixed
	bullseye	9.53.3~dfsg-7+deb11u7	fixed
	bullseye (security)	9.53.3~dfsg-7+deb11u8	fixed
	bookworm	10.0.0~dfsg-11+deb12u5	fixed
	bookworm (security)	10.0.0~dfsg-11+deb12u6	fixed
	sid, trixie	10.04.0~dfsg-1	fixed
jasper (PTS)	jessie, jessie (lts)	1.900.1-debian1-2.4+deb8u12	fixed
netpbm-free (PTS)	jessie	2:10.0-15.2	fixed
	buster, stretch	2:10.0-15.3	fixed
	bullseye	2:10.0-15.4	fixed
	bookworm	2:11.01.00-2	fixed
	sid, trixie	2:11.08.01-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Debian Bugs
ghostscript	source	lenny	(not affected)
ghostscript	source	(unstable)	8.64~dfsg-2	low	559778
gs-gpl	source	(unstable)	(unfixed)	low	561717
jasper	source	(unstable)	1.900.1-5.1	medium	501021
netpbm-free	source	(unstable)	(not affected)

[lenny] - ghostscript <not-affected> (Too intrusive to backport)
- netpbm-free <not-affected> (dynamically links to ghostscript if available)