[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1RbY4v-00056q-0d@titan.mandriva.com>
Date: Fri, 16 Dec 2011 14:44:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2011:189 ] jasper
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:189
http://www.mandriva.com/security/
_______________________________________________________________________
Package : jasper
Date : December 16, 2011
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in jasper:
Heap-based buffer overflow in the jpc_cox_getcompparms function in
libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to
execute arbitrary code or cause a denial of service (memory corruption)
via a crafted numrlvls value in a JPEG2000 file (CVE-2011-4516).
The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer
1.900.1 uses an incorrect data type during a certain size calculation,
which allows remote attackers to trigger a heap-based buffer overflow
and execute arbitrary code, or cause a denial of service (heap memory
corruption), via a malformed JPEG2000 file (CVE-2011-4517).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4517
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
e494dad90e889530c86071f3ffdc2144 2010.1/i586/jasper-1.900.1-12.1mdv2010.2.i586.rpm
b2b08a6ecacf2d26d032b1e65ebf390d 2010.1/i586/libjasper1-1.900.1-12.1mdv2010.2.i586.rpm
71a43faf4f98f4c8220c377691fc6d7c 2010.1/i586/libjasper-devel-1.900.1-12.1mdv2010.2.i586.rpm
002cc21e456874c4927eb0d87c946b98 2010.1/i586/libjasper-static-devel-1.900.1-12.1mdv2010.2.i586.rpm
1cda18f770486d728dc15efdcecc177d 2010.1/SRPMS/jasper-1.900.1-12.1mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
420fb525b80f6921f36a5bdf89e7163e 2010.1/x86_64/jasper-1.900.1-12.1mdv2010.2.x86_64.rpm
9ecae54e76c3e3320ba1837d623c0fbf 2010.1/x86_64/lib64jasper1-1.900.1-12.1mdv2010.2.x86_64.rpm
8f8690f72954f4d33e14b5a61dab39af 2010.1/x86_64/lib64jasper-devel-1.900.1-12.1mdv2010.2.x86_64.rpm
f08f66c77a6bd13aa9e1d642bd38a756 2010.1/x86_64/lib64jasper-static-devel-1.900.1-12.1mdv2010.2.x86_64.rpm
1cda18f770486d728dc15efdcecc177d 2010.1/SRPMS/jasper-1.900.1-12.1mdv2010.2.src.rpm
Mandriva Linux 2011:
2ca7cc26dc24d01d159200db795c4f62 2011/i586/jasper-1.900.1-12.1-mdv2011.0.i586.rpm
25681b4aeccde3e9b85b4f565870853f 2011/i586/libjasper1-1.900.1-12.1-mdv2011.0.i586.rpm
fc559da2f2ed5264c7ca37fe313f5979 2011/i586/libjasper-devel-1.900.1-12.1-mdv2011.0.i586.rpm
81cf761c980e151a2a804f1fad5be109 2011/i586/libjasper-static-devel-1.900.1-12.1-mdv2011.0.i586.rpm
e2bbe335c556a330f7993c6119c8d6cc 2011/SRPMS/jasper-1.900.1-12.1.src.rpm
Mandriva Linux 2011/X86_64:
136e4a0960f038fb1d043afc146260ff 2011/x86_64/jasper-1.900.1-12.1-mdv2011.0.x86_64.rpm
bcf658437206939760149448524eceb9 2011/x86_64/lib64jasper1-1.900.1-12.1-mdv2011.0.x86_64.rpm
72d5f142060403ca344c2f0311258381 2011/x86_64/lib64jasper-devel-1.900.1-12.1-mdv2011.0.x86_64.rpm
d8b8311ec34971e7908c1b2bccb671c9 2011/x86_64/lib64jasper-static-devel-1.900.1-12.1-mdv2011.0.x86_64.rpm
e2bbe335c556a330f7993c6119c8d6cc 2011/SRPMS/jasper-1.900.1-12.1.src.rpm
Mandriva Enterprise Server 5:
8bf49dec9c4e4890e3e989ff8fc3bb19 mes5/i586/jasper-1.900.1-4.3mdvmes5.2.i586.rpm
bccebb05fb7594cae930ba03ee527039 mes5/i586/libjasper1-1.900.1-4.3mdvmes5.2.i586.rpm
35b631ab6c5f153c1e2d273142d385f3 mes5/i586/libjasper1-devel-1.900.1-4.3mdvmes5.2.i586.rpm
c01ebaa0319a5bd480a69f3f7d84f35a mes5/i586/libjasper1-static-devel-1.900.1-4.3mdvmes5.2.i586.rpm
8da90dd5afaeb2aaf09daad2f97d83ab mes5/SRPMS/jasper-1.900.1-4.3mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
8c1aed6122fa87a6341ef2d8282f4390 mes5/x86_64/jasper-1.900.1-4.3mdvmes5.2.x86_64.rpm
83d3051efaa4e26793bea89775e2d461 mes5/x86_64/lib64jasper1-1.900.1-4.3mdvmes5.2.x86_64.rpm
9f7ed89204edddde7b443e7fac61fe2b mes5/x86_64/lib64jasper1-devel-1.900.1-4.3mdvmes5.2.x86_64.rpm
41d45d8a0ca083a26eed5b213cfd7a79 mes5/x86_64/lib64jasper1-static-devel-1.900.1-4.3mdvmes5.2.x86_64.rpm
8da90dd5afaeb2aaf09daad2f97d83ab mes5/SRPMS/jasper-1.900.1-4.3mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFO6x1nmqjQ0CJFipgRAkhTAJ0bHHUFiodH4z69bX/yKE68Vq3+JQCdEPQm
cE1/h3Xv/zQWnadBoHy4OcY=
=DYuC
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists