To: [email protected]Subject: [ MDVSA-2009:142 ] jasper
Date: Sat, 27 Jun 2009 00:04:00 +0200
From: [email protected]
Reply-To: <xsecurity@mandriva.com.>
Message-Id: <E1MKJWa-0004Ye-K8@titan.mandriva.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:142
http://www.mandriva.com/security/
_______________________________________________________________________
Package : jasper
Date : June 26, 2009
Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0
_______________________________________________________________________
Problem Description:
Multiple security vulnerabilities has been identified and fixed
in jasper:
The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer
JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted
attackers to cause a denial of service (crash) and possibly corrupt
the heap via malformed image files, as originally demonstrated using
imagemagick convert (CVE-2007-2721).
Multiple integer overflows in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via a crafted
image file, related to integer multiplication for memory allocation
(CVE-2008-3520).
The jas_stream_tmpfile function in libjasper/base/jas_stream.c in
JasPer 1.900.1 allows local users to overwrite arbitrary files via
a symlink attack on a tmp.XXXXXXXXXX temporary file (CVE-2008-3521).
Buffer overflow in the jas_stream_printf function in
libjasper/base/jas_stream.c in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via
vectors related to the mif_hdr_put function and use of vsprintf
(CVE-2008-3522).
The updated packages have been patched to prevent this.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2721http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3521http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.1:
b415b975e60c3e47af3b67c21f89fde9 2008.1/i586/jasper-1.900.1-3.1mdv2008.1.i586.rpm
525a4213baf56dee4733976ebbf916af 2008.1/i586/libjasper1-1.900.1-3.1mdv2008.1.i586.rpm
eda31571a90149b4bebdc976b5e04406 2008.1/i586/libjasper1-devel-1.900.1-3.1mdv2008.1.i586.rpm
b974e8d5ef8992aec3b1031de47ac9f4 2008.1/i586/libjasper1-static-devel-1.900.1-3.1mdv2008.1.i586.rpm
01b1f3bcf707d3296f41a736c5bdc7ed 2008.1/SRPMS/jasper-1.900.1-3.1mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
5322cd4a5498e9e9a92777738d4aef90 2008.1/x86_64/jasper-1.900.1-3.1mdv2008.1.x86_64.rpm
f7f0188142c7890148a643218016b809 2008.1/x86_64/lib64jasper1-1.900.1-3.1mdv2008.1.x86_64.rpm
d11f1b52a11db1516ecf51fa2d863238 2008.1/x86_64/lib64jasper1-devel-1.900.1-3.1mdv2008.1.x86_64.rpm
7bf348d780f0392a2256fec32e1136f4 2008.1/x86_64/lib64jasper1-static-devel-1.900.1-3.1mdv2008.1.x86_64.rpm
01b1f3bcf707d3296f41a736c5bdc7ed 2008.1/SRPMS/jasper-1.900.1-3.1mdv2008.1.src.rpm
Mandriva Linux 2009.0:
89674fae78d1e53361413798c598e53a 2009.0/i586/jasper-1.900.1-4.1mdv2009.0.i586.rpm
244e0d289c1ed9223d04d37cce6ac30c 2009.0/i586/libjasper1-1.900.1-4.1mdv2009.0.i586.rpm
adfbe8cbdcf16177a9894753a36ac04d 2009.0/i586/libjasper1-devel-1.900.1-4.1mdv2009.0.i586.rpm
98d7a08e49d6b0b9c3b3ac45ee31fab2 2009.0/i586/libjasper1-static-devel-1.900.1-4.1mdv2009.0.i586.rpm
107b936e8361e9778077500205582db1 2009.0/SRPMS/jasper-1.900.1-4.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
e48536726ba6c83c14fc4a3533c1aa72 2009.0/x86_64/jasper-1.900.1-4.1mdv2009.0.x86_64.rpm
9e756d8c55f33a7a58955c2c556e8b53 2009.0/x86_64/lib64jasper1-1.900.1-4.1mdv2009.0.x86_64.rpm
a3a6ea3a8943d07096bdf2b6bffa905f 2009.0/x86_64/lib64jasper1-devel-1.900.1-4.1mdv2009.0.x86_64.rpm
9035b3ca72439aaadc0d0354ccb7d094 2009.0/x86_64/lib64jasper1-static-devel-1.900.1-4.1mdv2009.0.x86_64.rpm
107b936e8361e9778077500205582db1 2009.0/SRPMS/jasper-1.900.1-4.1mdv2009.0.src.rpm
Mandriva Linux 2009.1:
b11ffbb67ab917d95b23e3d71098da4d 2009.1/i586/jasper-1.900.1-5.1mdv2009.1.i586.rpm
0403d7db1343380b23c87845ad89539c 2009.1/i586/libjasper1-1.900.1-5.1mdv2009.1.i586.rpm
22cd4305bca44bbc47cb42e115514b7f 2009.1/i586/libjasper-devel-1.900.1-5.1mdv2009.1.i586.rpm
9e34a3304b35363853a3c733a87b03fb 2009.1/i586/libjasper-static-devel-1.900.1-5.1mdv2009.1.i586.rpm
ba5e1fd525c267b49e3e5241a922185a 2009.1/SRPMS/jasper-1.900.1-5.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
b4c00f01c5df8638bb4d76c44e4c88cc 2009.1/x86_64/jasper-1.900.1-5.1mdv2009.1.x86_64.rpm
b4aefde111aba037a6738ccdd509f061 2009.1/x86_64/lib64jasper1-1.900.1-5.1mdv2009.1.x86_64.rpm
e3a1dda206b8a383b0da6794198a2e02 2009.1/x86_64/lib64jasper-devel-1.900.1-5.1mdv2009.1.x86_64.rpm
a66c98b93ebd2caca3ce4bb321e092b7 2009.1/x86_64/lib64jasper-static-devel-1.900.1-5.1mdv2009.1.x86_64.rpm
ba5e1fd525c267b49e3e5241a922185a 2009.1/SRPMS/jasper-1.900.1-5.1mdv2009.1.src.rpm
Corporate 4.0:
390256d639cfbc0f15bf6895b3b18450 corporate/4.0/i586/jasper-1.701.0-3.1.20060mlcs4.i586.rpm
44915a643d07e967fca1912bca97a03b corporate/4.0/i586/libjasper1.701_1-1.701.0-3.1.20060mlcs4.i586.rpm
5f4c0ecd6f5f5a7585b1e13f245a86d0 corporate/4.0/i586/libjasper1.701_1-devel-1.701.0-3.1.20060mlcs4.i586.rpm
374d797c523577b4b1839cdc52fe5664 corporate/4.0/i586/libjasper1.701_1-static-devel-1.701.0-3.1.20060mlcs4.i586.rpm
34a9fdad21246f55d452de585dd2bf95 corporate/4.0/SRPMS/jasper-1.701.0-3.1.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
ba555966cb3df0218a682788d734a4b8 corporate/4.0/x86_64/jasper-1.701.0-3.1.20060mlcs4.x86_64.rpm
82405a393d7454a0da522d4b9cd5bd22 corporate/4.0/x86_64/lib64jasper1.701_1-1.701.0-3.1.20060mlcs4.x86_64.rpm
5443fe74af531fb8786de9d79f989433 corporate/4.0/x86_64/lib64jasper1.701_1-devel-1.701.0-3.1.20060mlcs4.x86_64.rpm
331aea54055a12468e48bcac1604b4c5 corporate/4.0/x86_64/lib64jasper1.701_1-static-devel-1.701.0-3.1.20060mlcs4.x86_64.rpm
34a9fdad21246f55d452de585dd2bf95 corporate/4.0/SRPMS/jasper-1.701.0-3.1.20060mlcs4.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKRRjKmqjQ0CJFipgRAv9VAKCsQ/vsjSv5D4Kd3zRGitSJzwJflwCfbFIF
UVglFwewEnLqlZH4+9FCP2E=
=7zQK
-----END PGP SIGNATURE-----