ELA-329-1 jasper security update

denial-of-service

2020-12-11
Packagejasper
Version1.900.1-debian1-2.4+deb8u7
Related CVEs CVE-2017-9782 CVE-2018-19139 CVE-2018-19543 CVE-2020-27828


Several security vulnerabilities were found and corrected in jasper, a JPEG 2000 image library, which could lead to denial-of-service or have other unspecified impact.

CVE-2018-19139: Fix memory leaks by registering jpc_unk_destroyparms.

CVE-2020-27828: Avoid maxrlvls more than upper bound to cause heap-buffer-overflow.

CVE-2018-19543 and CVE-2017-9782: There is a heap-based buffer over-read of size 8 in the function jp2_decode in libjasper/jp2/jp2_dec.c.



For Debian 8 jessie, these problems have been fixed in version 1.900.1-debian1-2.4+deb8u7.

We recommend that you upgrade your jasper packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.