jasper-2.0.14-5.el8

エラータID: AXSA:2021-2685:01

Release date: 
Monday, December 13, 2021 - 04:40
Subject: 
jasper-2.0.14-5.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

standard.

Security Fix(es):

* jasper: Heap-based buffer overflow in cp_create() in jpc_enc.c
(CVE-2020-27828)
* jasper: Heap-based buffer over-read in jp2_decode() in jp2_dec.c
(CVE-2021-3272)
* jasper: Out of bounds read in jp2_decode() in jp2_dec.c (CVE-2021-26926)
* jasper: NULL pointer dereference in jp2_decode() in jp2_dec.c
(CVE-2021-26927)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2020-27828
There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted
input provided to jasper by an attacker could cause an arbitrary out-of-bounds
write. This could potentially affect data confidentiality, integrity, or
application availability.
CVE-2021-3272
jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based
buffer over-read when there is an invalid relationship between the number of
channels and the number of image components.
CVE-2021-26926
A flaw was found in jasper before 2.0.25. An out of bounds read issue was found
in jp2_decode function whic may lead to disclosure of information or program
crash.
CVE-2021-26927
A flaw was found in jasper before 2.0.25. A null pointer dereference in
jp2_decode in jp2_dec.c may lead to program crash and denial of service.

Solution: 

Update packages.

CVEs: 
CVE-2020-27828
There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.
CVE-2021-26926
A flaw was found in jasper before 2.0.25. An out of bounds read issue was found in jp2_decode function whic may lead to disclosure of information or program crash.
CVE-2021-26927
A flaw was found in jasper before 2.0.25. A null pointer dereference in jp2_decode in jp2_dec.c may lead to program crash and denial of service.
CVE-2021-3272
jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components.
Additional Info: 

N/A

Download: 

SRPMS
  1. jasper-2.0.14-5.el8.src.rpm
    MD5: c687a5bdb344bd1791ca4700ae6502fe
    SHA-256: bac903e6f3853b9587d9aa24d824c6c3cdac92c36405ff6991fe374a2492583b
    Size: 1.61 MB

Asianux Server 8 for x86_64
  1. jasper-devel-2.0.14-5.el8.x86_64.rpm
    MD5: bf13c0a7c82729ee21d5348816ed4d16
    SHA-256: a9f2cebcf2b0b01c9fd02002471f6741547c28db563d4bbdf40b400d494fc74a
    Size: 634.18 kB
  2. jasper-libs-2.0.14-5.el8.x86_64.rpm
    MD5: f70143401964e3087fb1107f978c5ee3
    SHA-256: c845e47c76b83c4cf895d15e9412df1d5701c3924e272ab4837e96fbdf217e40
    Size: 165.56 kB
  3. jasper-devel-2.0.14-5.el8.i686.rpm
    MD5: 1ae02cbebb5922b4b774d4202d5b902b
    SHA-256: 9e89f424dd0fa78963c0cc1da30a4ea613cc6c93859c78f0f0d45b857de9341f
    Size: 634.20 kB
  4. jasper-libs-2.0.14-5.el8.i686.rpm
    MD5: 3f82d55f63c3e7cd56d283f088d11cb8
    SHA-256: 547a5ccc2d654610df21535d7257b3e6d5d94a0fddcd16755dc033f6155c9d46
    Size: 173.62 kB