Debian 10263 Published by

A jasper security update has been released for Debian GNU/Linux 8 Extended LTS to address several security vulnerabilities.



ELA-329-1 jasper security update

Package jasper
Version 1.900.1-debian1-2.4+deb8u7
Related CVEs CVE-2017-9782 CVE-2018-19139 CVE-2018-19543 CVE-2020-27828

Several security vulnerabilities were found and corrected in jasper, a JPEG 2000 image library, which could lead to denial-of-service or have other unspecified impact.

CVE-2018-19139: Fix memory leaks by registering jpc_unk_destroyparms.

CVE-2020-27828: Avoid maxrlvls more than upper bound to cause heap-buffer-overflow.

CVE-2018-19543 and CVE-2017-9782: There is a heap-based buffer over-read of size 8 in the function jp2_decode in libjasper/jp2/jp2_dec.c.

For Debian 8 jessie, these problems have been fixed in version 1.900.1-debian1-2.4+deb8u7.

We recommend that you upgrade your jasper packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-329-1 jasper security update