| Name | CVE-2016-9583 |
| Description | An out-of-bounds heap read vulnerability was found in the jpc_pi_nextpcrl() function of jasper before 2.0.6 when processing crafted input. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| jasper (PTS) | jessie, jessie (lts) | 1.900.1-debian1-2.4+deb8u12 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| jasper | source | (unstable) | (unfixed) | unimportant | | |
Notes
https://github.com/mdadams/jasper/issues/103
Fixed by https://github.com/mdadams/jasper/commit/99a50593254d1b53002719bbecfc946c84b23d27
The issue exists due to an overflow check which is not present
in Wheezy and Jessie. However it makes sense to implement this check.
This can be done when more important issues are found [wheezy].
Not suitable for code injection, hardly denial of service