Sicherheit: Zwei Probleme in JasPer

Lesezeichen hinzufügen

This is a multi-part message in MIME format...

------------=_1324043109-2333-511

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2011:189
http://www.mandriva.com/security/
_______________________________________________________________________

Package : jasper
Date : December 16, 2011
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in jasper:

Heap-based buffer overflow in the jpc_cox_getcompparms function in
libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to
execute arbitrary code or cause a denial of service (memory corruption)
via a crafted numrlvls value in a JPEG2000 file (CVE-2011-4516).

The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer
1.900.1 uses an incorrect data type during a certain size calculation,
which allows remote attackers to trigger a heap-based buffer overflow
and execute arbitrary code, or cause a denial of service (heap memory
corruption), via a malformed JPEG2000 file (CVE-2011-4517).

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4517
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2010.1:
e494dad90e889530c86071f3ffdc2144
2010.1/i586/jasper-1.900.1-12.1mdv2010.2.i586.rpm
b2b08a6ecacf2d26d032b1e65ebf390d
2010.1/i586/libjasper1-1.900.1-12.1mdv2010.2.i586.rpm
71a43faf4f98f4c8220c377691fc6d7c
2010.1/i586/libjasper-devel-1.900.1-12.1mdv2010.2.i586.rpm
002cc21e456874c4927eb0d87c946b98
2010.1/i586/libjasper-static-devel-1.900.1-12.1mdv2010.2.i586.rpm
1cda18f770486d728dc15efdcecc177d
2010.1/SRPMS/jasper-1.900.1-12.1mdv2010.2.src.rpm

Mandriva Linux 2010.1/X86_64:
420fb525b80f6921f36a5bdf89e7163e
2010.1/x86_64/jasper-1.900.1-12.1mdv2010.2.x86_64.rpm
9ecae54e76c3e3320ba1837d623c0fbf
2010.1/x86_64/lib64jasper1-1.900.1-12.1mdv2010.2.x86_64.rpm
8f8690f72954f4d33e14b5a61dab39af
2010.1/x86_64/lib64jasper-devel-1.900.1-12.1mdv2010.2.x86_64.rpm
f08f66c77a6bd13aa9e1d642bd38a756
2010.1/x86_64/lib64jasper-static-devel-1.900.1-12.1mdv2010.2.x86_64.rpm
1cda18f770486d728dc15efdcecc177d
2010.1/SRPMS/jasper-1.900.1-12.1mdv2010.2.src.rpm

Mandriva Linux 2011:
2ca7cc26dc24d01d159200db795c4f62
2011/i586/jasper-1.900.1-12.1-mdv2011.0.i586.rpm
25681b4aeccde3e9b85b4f565870853f
2011/i586/libjasper1-1.900.1-12.1-mdv2011.0.i586.rpm
fc559da2f2ed5264c7ca37fe313f5979
2011/i586/libjasper-devel-1.900.1-12.1-mdv2011.0.i586.rpm
81cf761c980e151a2a804f1fad5be109
2011/i586/libjasper-static-devel-1.900.1-12.1-mdv2011.0.i586.rpm
e2bbe335c556a330f7993c6119c8d6cc 2011/SRPMS/jasper-1.900.1-12.1.src.rpm

Mandriva Linux 2011/X86_64:
136e4a0960f038fb1d043afc146260ff
2011/x86_64/jasper-1.900.1-12.1-mdv2011.0.x86_64.rpm
bcf658437206939760149448524eceb9
2011/x86_64/lib64jasper1-1.900.1-12.1-mdv2011.0.x86_64.rpm
72d5f142060403ca344c2f0311258381
2011/x86_64/lib64jasper-devel-1.900.1-12.1-mdv2011.0.x86_64.rpm
d8b8311ec34971e7908c1b2bccb671c9
2011/x86_64/lib64jasper-static-devel-1.900.1-12.1-mdv2011.0.x86_64.rpm
e2bbe335c556a330f7993c6119c8d6cc 2011/SRPMS/jasper-1.900.1-12.1.src.rpm

Mandriva Enterprise Server 5:
8bf49dec9c4e4890e3e989ff8fc3bb19
mes5/i586/jasper-1.900.1-4.3mdvmes5.2.i586.rpm
bccebb05fb7594cae930ba03ee527039
mes5/i586/libjasper1-1.900.1-4.3mdvmes5.2.i586.rpm
35b631ab6c5f153c1e2d273142d385f3
mes5/i586/libjasper1-devel-1.900.1-4.3mdvmes5.2.i586.rpm
c01ebaa0319a5bd480a69f3f7d84f35a
mes5/i586/libjasper1-static-devel-1.900.1-4.3mdvmes5.2.i586.rpm
8da90dd5afaeb2aaf09daad2f97d83ab
mes5/SRPMS/jasper-1.900.1-4.3mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
8c1aed6122fa87a6341ef2d8282f4390
mes5/x86_64/jasper-1.900.1-4.3mdvmes5.2.x86_64.rpm
83d3051efaa4e26793bea89775e2d461
mes5/x86_64/lib64jasper1-1.900.1-4.3mdvmes5.2.x86_64.rpm
9f7ed89204edddde7b443e7fac61fe2b
mes5/x86_64/lib64jasper1-devel-1.900.1-4.3mdvmes5.2.x86_64.rpm
41d45d8a0ca083a26eed5b213cfd7a79
mes5/x86_64/lib64jasper1-static-devel-1.900.1-4.3mdvmes5.2.x86_64.rpm
8da90dd5afaeb2aaf09daad2f97d83ab
mes5/SRPMS/jasper-1.900.1-4.3mdvmes5.2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFO6x1nmqjQ0CJFipgRAkhTAJ0bHHUFiodH4z69bX/yKE68Vq3+JQCdEPQm
cE1/h3Xv/zQWnadBoHy4OcY=
=DYuC
-----END PGP SIGNATURE-----

------------=_1324043109-2333-511
Content-Type: text/plain; charset="UTF-8";
name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1324043109-2333-511--