[Secure-testing-team] Bug#775970: libjasper1: CVE-2014-8157 CVE-2014-8158
Karl O. Pinc
kop at meme.com
Thu Jan 22 03:09:57 UTC 2015
Package: libjasper1
Version: 1.900.1-13+deb7u2
Severity: grave
Tags: security upstream
Justification: user security hole
From: http://www.ocert.org/advisories/ocert-2015-001.html
The library is affected by an off-by-one error in a buffer boundary
check in jpc_dec_process_sot(), leading to a heap based buffer
overflow, as well as multiple unrestricted stack memory use issues in
jpc_qmfb.c, leading to stack overflow.
A specially crafted jp2 file can be used to trigger the
vulnerabilities.
-- System Information:
Debian Release: 7.8
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libjasper1 depends on:
ii libc6 2.13-38+deb7u6
ii libjpeg8 8d-1+deb7u1
ii multiarch-support 2.13-38+deb7u6
libjasper1 recommends no packages.
Versions of packages libjasper1 suggests:
pn libjasper-runtime <none>
-- no debconf information
More information about the Secure-testing-team
mailing list