| Description: | Summary:
The remote host is missing an update for the 'jasper' package(s) announced via the SUSE-SU-2015:0258-1 advisory.
Vulnerability Insight:
This update for jasper fixes the following security issues:
*
CVE-2014-8137: Double free in jas_iccattrval_destroy(). Double call
to free() allowed attackers to cause a denial of service or possibly
have unspecified other impact via unknown vectors. (bsc#909474)
*
CVE-2014-8138: Heap overflow in jas_decode(). This could be used to
do an arbitrary write and could result in arbitrary code execution.
(bsc#909475)
*
CVE-2014-8157: Off-by-one error in the jpc_dec_process_sot(). Could
allow remote attackers to cause a denial of service (crash) or
possibly execute arbitrary code via a crafted JPEG 2000 image, which
triggers a heap-based buffer overflow. (bsc#911837)
*
CVE-2014-8158: Multiple stack-based buffer overflows in jpc_qmfb.c.
Could allow remote attackers to cause a denial of service (crash) or
possibly execute arbitrary code via a crafted JPEG 2000 image.
(bsc#911837)
Security Issues:
* CVE-2014-8138
<[link moved to references]>
* CVE-2014-8137
<[link moved to references]>
* CVE-2014-8157
<[link moved to references]>
* CVE-2014-8158
<[link moved to references]>
Affected Software/OS:
'jasper' package(s) on SUSE Linux Enterprise Desktop 11-SP3, SUSE Linux Enterprise Server 11-SP3, SUSE Linux Enterprise Server for SAP Applications 11-SP3.
Solution:
Please install the updated package(s).
CVSS Score:
7.5
CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
