Debian Local Security Checks : Debian: Security Advisory (DSA-3508-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.703508

Category: Debian Local Security Checks

Title: Debian: Security Advisory (DSA-3508-1)

Summary: The remote host is missing an update for the Debian 'jasper' package(s) announced via the DSA-3508-1 advisory.

Description: Summary:
The remote host is missing an update for the Debian 'jasper' package(s) announced via the DSA-3508-1 advisory.

Vulnerability Insight:
Several vulnerabilities were discovered in JasPer, a library for manipulating JPEG-2000 files. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2016-1577

Jacob Baines discovered a double-free flaw in the jas_iccattrval_destroy function. A remote attacker could exploit this flaw to cause an application using the JasPer library to crash, or potentially, to execute arbitrary code with the privileges of the user running the application.

CVE-2016-2089

The Qihoo 360 Codesafe Team discovered a NULL pointer dereference flaw within the jas_matrix_clip function. A remote attacker could exploit this flaw to cause an application using the JasPer library to crash, resulting in a denial-of-service.

CVE-2016-2116

Tyler Hicks discovered a memory leak flaw in the jas_iccprof_createfrombuf function. A remote attacker could exploit this flaw to cause the JasPer library to consume memory, resulting in a denial-of-service.

For the oldstable distribution (wheezy), these problems have been fixed in version 1.900.1-13+deb7u4.

For the stable distribution (jessie), these problems have been fixed in version 1.900.1-debian1-2.4+deb8u1.

We recommend that you upgrade your jasper packages.

Affected Software/OS:
'jasper' package(s) on Debian 7, Debian 8.

Solution:
Please install the updated package(s).

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2016-1577
BugTraq ID: 84133
http://www.securityfocus.com/bid/84133
Debian Security Information: DSA-3508 (Google Search)
http://www.debian.org/security/2016/dsa-3508
http://www.openwall.com/lists/oss-security/2016/03/03/12
RedHat Security Advisories: RHSA-2017:1208
https://access.redhat.com/errata/RHSA-2017:1208
http://www.ubuntu.com/usn/USN-2919-1
Common Vulnerability Exposure (CVE) ID: CVE-2016-2089
BugTraq ID: 83108
http://www.securityfocus.com/bid/83108
http://www.openwall.com/lists/oss-security/2016/01/28/6
http://www.openwall.com/lists/oss-security/2016/01/28/4
SuSE Security Announcement: openSUSE-SU-2016:0408 (Google Search)
http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html
SuSE Security Announcement: openSUSE-SU-2016:0413 (Google Search)
http://lists.opensuse.org/opensuse-updates/2016-02/msg00063.html
Common Vulnerability Exposure (CVE) ID: CVE-2016-2116

Copyright Copyright (C) 2016 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.703508
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DSA-3508-1)
Summary:	The remote host is missing an update for the Debian 'jasper' package(s) announced via the DSA-3508-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'jasper' package(s) announced via the DSA-3508-1 advisory. Vulnerability Insight: Several vulnerabilities were discovered in JasPer, a library for manipulating JPEG-2000 files. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-1577 Jacob Baines discovered a double-free flaw in the jas_iccattrval_destroy function. A remote attacker could exploit this flaw to cause an application using the JasPer library to crash, or potentially, to execute arbitrary code with the privileges of the user running the application. CVE-2016-2089 The Qihoo 360 Codesafe Team discovered a NULL pointer dereference flaw within the jas_matrix_clip function. A remote attacker could exploit this flaw to cause an application using the JasPer library to crash, resulting in a denial-of-service. CVE-2016-2116 Tyler Hicks discovered a memory leak flaw in the jas_iccprof_createfrombuf function. A remote attacker could exploit this flaw to cause the JasPer library to consume memory, resulting in a denial-of-service. For the oldstable distribution (wheezy), these problems have been fixed in version 1.900.1-13+deb7u4. For the stable distribution (jessie), these problems have been fixed in version 1.900.1-debian1-2.4+deb8u1. We recommend that you upgrade your jasper packages. Affected Software/OS: 'jasper' package(s) on Debian 7, Debian 8. Solution: Please install the updated package(s). CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2016-1577 BugTraq ID: 84133 http://www.securityfocus.com/bid/84133 Debian Security Information: DSA-3508 (Google Search) http://www.debian.org/security/2016/dsa-3508 http://www.openwall.com/lists/oss-security/2016/03/03/12 RedHat Security Advisories: RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208 http://www.ubuntu.com/usn/USN-2919-1 Common Vulnerability Exposure (CVE) ID: CVE-2016-2089 BugTraq ID: 83108 http://www.securityfocus.com/bid/83108 http://www.openwall.com/lists/oss-security/2016/01/28/6 http://www.openwall.com/lists/oss-security/2016/01/28/4 SuSE Security Announcement: openSUSE-SU-2016:0408 (Google Search) http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html SuSE Security Announcement: openSUSE-SU-2016:0413 (Google Search) http://lists.opensuse.org/opensuse-updates/2016-02/msg00063.html Common Vulnerability Exposure (CVE) ID: CVE-2016-2116
Copyright	Copyright (C) 2016 Greenbone AG