Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[Security Announce] [ MDVSA-2009:142 ] jasper

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

This is a multi-part message in MIME format...

 

------------=_1246053988-22127-326

 

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

_______________________________________________________________________

 

Mandriva Linux Security Advisory MDVSA-2009:142

http://www.mandriva.com/security/

_______________________________________________________________________

 

Package : jasper

Date : June 26, 2009

Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0

_______________________________________________________________________

 

Problem Description:

 

Multiple security vulnerabilities has been identified and fixed

in jasper:

 

The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer

JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted

attackers to cause a denial of service (crash) and possibly corrupt

the heap via malformed image files, as originally demonstrated using

imagemagick convert (CVE-2007-2721).

 

Multiple integer overflows in JasPer 1.900.1 might allow

context-dependent attackers to have an unknown impact via a crafted

image file, related to integer multiplication for memory allocation

(CVE-2008-3520).

 

The jas_stream_tmpfile function in libjasper/base/jas_stream.c in

JasPer 1.900.1 allows local users to overwrite arbitrary files via

a symlink attack on a tmp.XXXXXXXXXX temporary file (CVE-2008-3521).

 

Buffer overflow in the jas_stream_printf function in

libjasper/base/jas_stream.c in JasPer 1.900.1 might allow

context-dependent attackers to have an unknown impact via

vectors related to the mif_hdr_put function and use of vsprintf

(CVE-2008-3522).

 

The updated packages have been patched to prevent this.

_______________________________________________________________________

 

References:

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2721

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3521

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522

_______________________________________________________________________

 

Updated Packages:

 

Mandriva Linux 2008.1:

b415b975e60c3e47af3b67c21f89fde9 2008.1/i586/jasper-1.900.1-3.1mdv2008.1.i586.rpm

525a4213baf56dee4733976ebbf916af 2008.1/i586/libjasper1-1.900.1-3.1mdv2008.1.i586.rpm

eda31571a90149b4bebdc976b5e04406 2008.1/i586/libjasper1-devel-1.900.1-3.1mdv2008.1.i586.rpm

b974e8d5ef8992aec3b1031de47ac9f4 2008.1/i586/libjasper1-static-devel-1.900.1-3.1mdv2008.1.i586.rpm

01b1f3bcf707d3296f41a736c5bdc7ed 2008.1/SRPMS/jasper-1.900.1-3.1mdv2008.1.src.rpm

 

Mandriva Linux 2008.1/X86_64:

5322cd4a5498e9e9a92777738d4aef90 2008.1/x86_64/jasper-1.900.1-3.1mdv2008.1.x86_64.rpm

f7f0188142c7890148a643218016b809 2008.1/x86_64/lib64jasper1-1.900.1-3.1mdv2008.1.x86_64.rpm

d11f1b52a11db1516ecf51fa2d863238 2008.1/x86_64/lib64jasper1-devel-1.900.1-3.1mdv2008.1.x86_64.rpm

7bf348d780f0392a2256fec32e1136f4 2008.1/x86_64/lib64jasper1-static-devel-1.900.1-3.1mdv2008.1.x86_64.rpm

01b1f3bcf707d3296f41a736c5bdc7ed 2008.1/SRPMS/jasper-1.900.1-3.1mdv2008.1.src.rpm

 

Mandriva Linux 2009.0:

89674fae78d1e53361413798c598e53a 2009.0/i586/jasper-1.900.1-4.1mdv2009.0.i586.rpm

244e0d289c1ed9223d04d37cce6ac30c 2009.0/i586/libjasper1-1.900.1-4.1mdv2009.0.i586.rpm

adfbe8cbdcf16177a9894753a36ac04d 2009.0/i586/libjasper1-devel-1.900.1-4.1mdv2009.0.i586.rpm

98d7a08e49d6b0b9c3b3ac45ee31fab2 2009.0/i586/libjasper1-static-devel-1.900.1-4.1mdv2009.0.i586.rpm

107b936e8361e9778077500205582db1 2009.0/SRPMS/jasper-1.900.1-4.1mdv2009.0.src.rpm

 

Mandriva Linux 2009.0/X86_64:

e48536726ba6c83c14fc4a3533c1aa72 2009.0/x86_64/jasper-1.900.1-4.1mdv2009.0.x86_64.rpm

9e756d8c55f33a7a58955c2c556e8b53 2009.0/x86_64/lib64jasper1-1.900.1-4.1mdv2009.0.x86_64.rpm

a3a6ea3a8943d07096bdf2b6bffa905f 2009.0/x86_64/lib64jasper1-devel-1.900.1-4.1mdv2009.0.x86_64.rpm

9035b3ca72439aaadc0d0354ccb7d094 2009.0/x86_64/lib64jasper1-static-devel-1.900.1-4.1mdv2009.0.x86_64.rpm

107b936e8361e9778077500205582db1 2009.0/SRPMS/jasper-1.900.1-4.1mdv2009.0.src.rpm

 

Mandriva Linux 2009.1:

b11ffbb67ab917d95b23e3d71098da4d 2009.1/i586/jasper-1.900.1-5.1mdv2009.1.i586.rpm

0403d7db1343380b23c87845ad89539c 2009.1/i586/libjasper1-1.900.1-5.1mdv2009.1.i586.rpm

22cd4305bca44bbc47cb42e115514b7f 2009.1/i586/libjasper-devel-1.900.1-5.1mdv2009.1.i586.rpm

9e34a3304b35363853a3c733a87b03fb 2009.1/i586/libjasper-static-devel-1.900.1-5.1mdv2009.1.i586.rpm

ba5e1fd525c267b49e3e5241a922185a 2009.1/SRPMS/jasper-1.900.1-5.1mdv2009.1.src.rpm

 

Mandriva Linux 2009.1/X86_64:

b4c00f01c5df8638bb4d76c44e4c88cc 2009.1/x86_64/jasper-1.900.1-5.1mdv2009.1.x86_64.rpm

b4aefde111aba037a6738ccdd509f061 2009.1/x86_64/lib64jasper1-1.900.1-5.1mdv2009.1.x86_64.rpm

e3a1dda206b8a383b0da6794198a2e02 2009.1/x86_64/lib64jasper-devel-1.900.1-5.1mdv2009.1.x86_64.rpm

a66c98b93ebd2caca3ce4bb321e092b7 2009.1/x86_64/lib64jasper-static-devel-1.900.1-5.1mdv2009.1.x86_64.rpm

ba5e1fd525c267b49e3e5241a922185a 2009.1/SRPMS/jasper-1.900.1-5.1mdv2009.1.src.rpm

 

Corporate 4.0:

390256d639cfbc0f15bf6895b3b18450 corporate/4.0/i586/jasper-1.701.0-3.1.20060mlcs4.i586.rpm

44915a643d07e967fca1912bca97a03b corporate/4.0/i586/libjasper1.701_1-1.701.0-3.1.20060mlcs4.i586.rpm

5f4c0ecd6f5f5a7585b1e13f245a86d0 corporate/4.0/i586/libjasper1.701_1-devel-1.701.0-3.1.20060mlcs4.i586.rpm

374d797c523577b4b1839cdc52fe5664 corporate/4.0/i586/libjasper1.701_1-static-devel-1.701.0-3.1.20060mlcs4.i586.rpm

34a9fdad21246f55d452de585dd2bf95 corporate/4.0/SRPMS/jasper-1.701.0-3.1.20060mlcs4.src.rpm

 

Corporate 4.0/X86_64:

ba555966cb3df0218a682788d734a4b8 corporate/4.0/x86_64/jasper-1.701.0-3.1.20060mlcs4.x86_64.rpm

82405a393d7454a0da522d4b9cd5bd22 corporate/4.0/x86_64/lib64jasper1.701_1-1.701.0-3.1.20060mlcs4.x86_64.rpm

5443fe74af531fb8786de9d79f989433 corporate/4.0/x86_64/lib64jasper1.701_1-devel-1.701.0-3.1.20060mlcs4.x86_64.rpm

331aea54055a12468e48bcac1604b4c5 corporate/4.0/x86_64/lib64jasper1.701_1-static-devel-1.701.0-3.1.20060mlcs4.x86_64.rpm

34a9fdad21246f55d452de585dd2bf95 corporate/4.0/SRPMS/jasper-1.701.0-3.1.20060mlcs4.src.rpm

_______________________________________________________________________

 

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

 

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

 

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 

You can view other update advisories for Mandriva Linux at:

 

http://www.mandriva.com/security/advisories

 

If you want to report vulnerabilities, please contact

 

security_(at)_mandriva.com

_______________________________________________________________________

 

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.9 (GNU/Linux)

 

iD8DBQFKRRjKmqjQ0CJFipgRAv9VAKCsQ/vsjSv5D4Kd3zRGitSJzwJflwCfbFIF

UVglFwewEnLqlZH4+9FCP2E=

=7zQK

-----END PGP SIGNATURE-----

 

 

------------=_1246053988-22127-326

Content-Type: text/plain; name="message-footer.txt"

Content-Disposition: inline; filename="message-footer.txt"

Content-Transfer-Encoding: 8bit

 

To unsubscribe, send a email to sympa ( -at -) mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://www.mandrivastore.com

Join the Club : http://www.mandrivaclub.com

_______________________________________________________

 

------------=_1246053988-22127-326--

 

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×