Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in jasper
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in jasper
ID: MDVSA-2009:142-1
Distribution: Mandriva
Plattformen: Mandriva 2008.0
Datum: Fr, 4. Dezember 2009, 00:18
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3521
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522
Applikationen: JasPer

Originalnachricht

This is a multi-part message in MIME format...

------------=_1259882310-24326-1584


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:142-1
http://www.mandriva.com/security/
_______________________________________________________________________

Package : jasper
Date : December 3, 2009
Affected: 2008.0
_______________________________________________________________________

Problem Description:

Multiple security vulnerabilities has been identified and fixed
in jasper:

The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer
JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted
attackers to cause a denial of service (crash) and possibly corrupt
the heap via malformed image files, as originally demonstrated using
imagemagick convert (CVE-2007-2721).

Multiple integer overflows in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via a crafted
image file, related to integer multiplication for memory allocation
(CVE-2008-3520).

The jas_stream_tmpfile function in libjasper/base/jas_stream.c in
JasPer 1.900.1 allows local users to overwrite arbitrary files via
a symlink attack on a tmp.XXXXXXXXXX temporary file (CVE-2008-3521).

Buffer overflow in the jas_stream_printf function in
libjasper/base/jas_stream.c in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via
vectors related to the mif_hdr_put function and use of vsprintf
(CVE-2008-3522).

The updated packages have been patched to prevent this.

Update:

Packages for 2008.0 are being provided due to extended support for
Corporate products.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3521
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
5f9c8dfae30f0cadf061de621b8c8001
2008.0/i586/jasper-1.900.1-2.1mdv2008.0.i586.rpm
31a18f0fd0eaf9fe8fbc3152716c5a97
2008.0/i586/libjasper1-1.900.1-2.1mdv2008.0.i586.rpm
c19c0a59243be390523cfeb26362e177
2008.0/i586/libjasper1-devel-1.900.1-2.1mdv2008.0.i586.rpm
88a5c06798169a312935e33918194286
2008.0/i586/libjasper1-static-devel-1.900.1-2.1mdv2008.0.i586.rpm
16072736699b72d0d545a3b632fa0d70
2008.0/SRPMS/jasper-1.900.1-2.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
387d1e14ef8069d239bff354726b26cb
2008.0/x86_64/jasper-1.900.1-2.1mdv2008.0.x86_64.rpm
2ab7bf2550e00e423b511b5921a103b3
2008.0/x86_64/lib64jasper1-1.900.1-2.1mdv2008.0.x86_64.rpm
5abd166c380e4ed1cc9b925b5d0f1845
2008.0/x86_64/lib64jasper1-devel-1.900.1-2.1mdv2008.0.x86_64.rpm
36e2d6ef0ceb0ffdfa88265a9b016173
2008.0/x86_64/lib64jasper1-static-devel-1.900.1-2.1mdv2008.0.x86_64.rpm
16072736699b72d0d545a3b632fa0d70
2008.0/SRPMS/jasper-1.900.1-2.1mdv2008.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLGBu5mqjQ0CJFipgRAnnxAKC1Yqp3matYvYtzco9NCLtW6KlsNgCgjIzw
PL7nkNJNn62nP+NYytohvZk=
=f+gJ
-----END PGP SIGNATURE-----


------------=_1259882310-24326-1584
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1259882310-24326-1584--
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung