CVE-2017-5500

NameCVE-2017-5500
Descriptionlibjasper/jpc/jpc_dec.c in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via vectors involving left shift of a negative value.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jasper (PTS)jessie, jessie (lts)1.900.1-debian1-2.4+deb8u12vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jaspersource(unstable)(unfixed)unimportant

Notes

Triggers an assert. Not suitable for code injection, hardly denial of service
Reproducer: https://github.com/asarubbo/poc/blob/master/00019-jasper-leftshift-jpc_dec_c
http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/
https://github.com/mdadams/jasper/issues/64

Search for package or bug name: Reporting problems