lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1RbY4v-00056q-0d@titan.mandriva.com>
Date: Fri, 16 Dec 2011 14:44:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2011:189 ] jasper

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:189
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : jasper
 Date    : December 16, 2011
 Affected: 2010.1, 2011., Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in jasper:
 
 Heap-based buffer overflow in the jpc_cox_getcompparms function in
 libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to
 execute arbitrary code or cause a denial of service (memory corruption)
 via a crafted numrlvls value in a JPEG2000 file (CVE-2011-4516).
 
 The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer
 1.900.1 uses an incorrect data type during a certain size calculation,
 which allows remote attackers to trigger a heap-based buffer overflow
 and execute arbitrary code, or cause a denial of service (heap memory
 corruption), via a malformed JPEG2000 file (CVE-2011-4517).
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4517
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.1:
 e494dad90e889530c86071f3ffdc2144  2010.1/i586/jasper-1.900.1-12.1mdv2010.2.i586.rpm
 b2b08a6ecacf2d26d032b1e65ebf390d  2010.1/i586/libjasper1-1.900.1-12.1mdv2010.2.i586.rpm
 71a43faf4f98f4c8220c377691fc6d7c  2010.1/i586/libjasper-devel-1.900.1-12.1mdv2010.2.i586.rpm
 002cc21e456874c4927eb0d87c946b98  2010.1/i586/libjasper-static-devel-1.900.1-12.1mdv2010.2.i586.rpm 
 1cda18f770486d728dc15efdcecc177d  2010.1/SRPMS/jasper-1.900.1-12.1mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 420fb525b80f6921f36a5bdf89e7163e  2010.1/x86_64/jasper-1.900.1-12.1mdv2010.2.x86_64.rpm
 9ecae54e76c3e3320ba1837d623c0fbf  2010.1/x86_64/lib64jasper1-1.900.1-12.1mdv2010.2.x86_64.rpm
 8f8690f72954f4d33e14b5a61dab39af  2010.1/x86_64/lib64jasper-devel-1.900.1-12.1mdv2010.2.x86_64.rpm
 f08f66c77a6bd13aa9e1d642bd38a756  2010.1/x86_64/lib64jasper-static-devel-1.900.1-12.1mdv2010.2.x86_64.rpm 
 1cda18f770486d728dc15efdcecc177d  2010.1/SRPMS/jasper-1.900.1-12.1mdv2010.2.src.rpm

 Mandriva Linux 2011:
 2ca7cc26dc24d01d159200db795c4f62  2011/i586/jasper-1.900.1-12.1-mdv2011.0.i586.rpm
 25681b4aeccde3e9b85b4f565870853f  2011/i586/libjasper1-1.900.1-12.1-mdv2011.0.i586.rpm
 fc559da2f2ed5264c7ca37fe313f5979  2011/i586/libjasper-devel-1.900.1-12.1-mdv2011.0.i586.rpm
 81cf761c980e151a2a804f1fad5be109  2011/i586/libjasper-static-devel-1.900.1-12.1-mdv2011.0.i586.rpm 
 e2bbe335c556a330f7993c6119c8d6cc  2011/SRPMS/jasper-1.900.1-12.1.src.rpm

 Mandriva Linux 2011/X86_64:
 136e4a0960f038fb1d043afc146260ff  2011/x86_64/jasper-1.900.1-12.1-mdv2011.0.x86_64.rpm
 bcf658437206939760149448524eceb9  2011/x86_64/lib64jasper1-1.900.1-12.1-mdv2011.0.x86_64.rpm
 72d5f142060403ca344c2f0311258381  2011/x86_64/lib64jasper-devel-1.900.1-12.1-mdv2011.0.x86_64.rpm
 d8b8311ec34971e7908c1b2bccb671c9  2011/x86_64/lib64jasper-static-devel-1.900.1-12.1-mdv2011.0.x86_64.rpm 
 e2bbe335c556a330f7993c6119c8d6cc  2011/SRPMS/jasper-1.900.1-12.1.src.rpm

 Mandriva Enterprise Server 5:
 8bf49dec9c4e4890e3e989ff8fc3bb19  mes5/i586/jasper-1.900.1-4.3mdvmes5.2.i586.rpm
 bccebb05fb7594cae930ba03ee527039  mes5/i586/libjasper1-1.900.1-4.3mdvmes5.2.i586.rpm
 35b631ab6c5f153c1e2d273142d385f3  mes5/i586/libjasper1-devel-1.900.1-4.3mdvmes5.2.i586.rpm
 c01ebaa0319a5bd480a69f3f7d84f35a  mes5/i586/libjasper1-static-devel-1.900.1-4.3mdvmes5.2.i586.rpm 
 8da90dd5afaeb2aaf09daad2f97d83ab  mes5/SRPMS/jasper-1.900.1-4.3mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 8c1aed6122fa87a6341ef2d8282f4390  mes5/x86_64/jasper-1.900.1-4.3mdvmes5.2.x86_64.rpm
 83d3051efaa4e26793bea89775e2d461  mes5/x86_64/lib64jasper1-1.900.1-4.3mdvmes5.2.x86_64.rpm
 9f7ed89204edddde7b443e7fac61fe2b  mes5/x86_64/lib64jasper1-devel-1.900.1-4.3mdvmes5.2.x86_64.rpm
 41d45d8a0ca083a26eed5b213cfd7a79  mes5/x86_64/lib64jasper1-static-devel-1.900.1-4.3mdvmes5.2.x86_64.rpm 
 8da90dd5afaeb2aaf09daad2f97d83ab  mes5/SRPMS/jasper-1.900.1-4.3mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFO6x1nmqjQ0CJFipgRAkhTAJ0bHHUFiodH4z69bX/yKE68Vq3+JQCdEPQm
cE1/h3Xv/zQWnadBoHy4OcY=
=DYuC
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ