This repository has been archived by the owner on Jul 29, 2020. It is now read-only.

CVE-2017-5499 #2

Closed

jubalh opened this issue Jun 15, 2020 · 0 comments · Fixed by #38

Labels

CVE PR available

Member

jubalh commented Jun 15, 2020

Integer overflow in libjasper/jpc/jpc_dec.c in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via a crafted file.

Reproducer: https://github.com/asarubbo/poc/blob/master/00018-jasper-signedintoverflow-jpc_dec_c
http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/

See: jasper-software/jasper#63

jubalh added the CVE label

MaxKellermann linked a pull request

that will close this issue

Lots of CVE fixes #38

Merged

MaxKellermann added the PR available label

jubalh closed this as completed in #38

MaxKellermann mentioned this issue

Multiple Assertion failed in jpc_math.c and jpc_dec.c jasper-software/jasper#190

Closed

jubalh added a commit to jubalh/buildroot that referenced this issue


          Update Jasper to 2.0.19

3c4f2bc

Changes:
* Fix CVE-2018-9154
  jasper-software/jasper#215
  jasper-software/jasper#166
  jasper-software/jasper#175
  jasper-maint/jasper#8

* Fix CVE-2018-19541
  jasper-software/jasper#199
  jasper-maint/jasper#6

* Fix CVE-2016-9399, CVE-2017-13751
  jasper-maint/jasper#1

* Fix CVE-2018-19540
  jasper-software/jasper#182
  jasper-maint/jasper#22

* Fix CVE-2018-9055
  jasper-maint/jasper#9

* Fix CVE-2017-13748
  jasper-software/jasper#168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  jasper-maint/jasper#3
  jasper-maint/jasper#4
  jasper-maint/jasper#5
  jasper-software/jasper#88
  jasper-software/jasper#89
  jasper-software/jasper#90

* Fix CVE-2018-9252
  jasper-maint/jasper#16

* Fix CVE-2018-19139
  jasper-maint/jasper#14

* Fix CVE-2018-19543, CVE-2017-9782
  jasper-maint/jasper#13
  jasper-maint/jasper#18
  jasper-software/jasper#140
  jasper-software/jasper#182

* Fix CVE-2018-20570
  jasper-maint/jasper#11
  jasper-software/jasper#191

* Fix CVE-2018-20622
  jasper-maint/jasper#12
  jasper-software/jasper#193

* Fix CVE-2016-9398
  jasper-maint/jasper#10

* Fix CVE-2017-14132
  jasper-maint/jasper#17

* Fix CVE-2017-5499
  jasper-maint/jasper#2
  jasper-software/jasper#63

* Fix CVE-2018-18873
  jasper-maint/jasper#15
  jasper-software/jasper#184

* Fix jasper-software/jasper#207

* Fix jasper-software/jasper#194 part 1

* Fix CVE-2017-13750
  jasper-software/jasper#165
  jasper-software/jasper#174

* New option -DJAS_ENABLE_HIDDEN=true to not export internal symbols in the public symbol table

* Fix various memory leaks

* Plenty of code cleanups, and performance improvements

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.