LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 21st, 2014
Linux Security Week: April 7th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: 2011:189: jasper Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake Multiple vulnerabilities has been discovered and corrected in jasper: Heap-based buffer overflow in the jpc_cox_getcompparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) [More...]
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:189
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : jasper
 Date    : December 16, 2011
 Affected: 2010.1, 2011., Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in jasper:
 
 Heap-based buffer overflow in the jpc_cox_getcompparms function in
 libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to
 execute arbitrary code or cause a denial of service (memory corruption)
 via a crafted numrlvls value in a JPEG2000 file (CVE-2011-4516).
 
 The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer
 1.900.1 uses an incorrect data type during a certain size calculation,
 which allows remote attackers to trigger a heap-based buffer overflow
 and execute arbitrary code, or cause a denial of service (heap memory
 corruption), via a malformed JPEG2000 file (CVE-2011-4517).
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4517
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.1:
 e494dad90e889530c86071f3ffdc2144  2010.1/i586/jasper-1.900.1-12.1mdv2010.2.i586.rpm
 b2b08a6ecacf2d26d032b1e65ebf390d  2010.1/i586/libjasper1-1.900.1-12.1mdv2010.2.i586.rpm
 71a43faf4f98f4c8220c377691fc6d7c  2010.1/i586/libjasper-devel-1.900.1-12.1mdv2010.2.i586.rpm
 002cc21e456874c4927eb0d87c946b98  2010.1/i586/libjasper-static-devel-1.900.1-12.1mdv2010.2.i586.rpm 
 1cda18f770486d728dc15efdcecc177d  2010.1/SRPMS/jasper-1.900.1-12.1mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 420fb525b80f6921f36a5bdf89e7163e  2010.1/x86_64/jasper-1.900.1-12.1mdv2010.2.x86_64.rpm
 9ecae54e76c3e3320ba1837d623c0fbf  2010.1/x86_64/lib64jasper1-1.900.1-12.1mdv2010.2.x86_64.rpm
 8f8690f72954f4d33e14b5a61dab39af  2010.1/x86_64/lib64jasper-devel-1.900.1-12.1mdv2010.2.x86_64.rpm
 f08f66c77a6bd13aa9e1d642bd38a756  2010.1/x86_64/lib64jasper-static-devel-1.900.1-12.1mdv2010.2.x86_64.rpm 
 1cda18f770486d728dc15efdcecc177d  2010.1/SRPMS/jasper-1.900.1-12.1mdv2010.2.src.rpm

 Mandriva Linux 2011:
 2ca7cc26dc24d01d159200db795c4f62  2011/i586/jasper-1.900.1-12.1-mdv2011.0.i586.rpm
 25681b4aeccde3e9b85b4f565870853f  2011/i586/libjasper1-1.900.1-12.1-mdv2011.0.i586.rpm
 fc559da2f2ed5264c7ca37fe313f5979  2011/i586/libjasper-devel-1.900.1-12.1-mdv2011.0.i586.rpm
 81cf761c980e151a2a804f1fad5be109  2011/i586/libjasper-static-devel-1.900.1-12.1-mdv2011.0.i586.rpm 
 e2bbe335c556a330f7993c6119c8d6cc  2011/SRPMS/jasper-1.900.1-12.1.src.rpm

 Mandriva Linux 2011/X86_64:
 136e4a0960f038fb1d043afc146260ff  2011/x86_64/jasper-1.900.1-12.1-mdv2011.0.x86_64.rpm
 bcf658437206939760149448524eceb9  2011/x86_64/lib64jasper1-1.900.1-12.1-mdv2011.0.x86_64.rpm
 72d5f142060403ca344c2f0311258381  2011/x86_64/lib64jasper-devel-1.900.1-12.1-mdv2011.0.x86_64.rpm
 d8b8311ec34971e7908c1b2bccb671c9  2011/x86_64/lib64jasper-static-devel-1.900.1-12.1-mdv2011.0.x86_64.rpm 
 e2bbe335c556a330f7993c6119c8d6cc  2011/SRPMS/jasper-1.900.1-12.1.src.rpm

 Mandriva Enterprise Server 5:
 8bf49dec9c4e4890e3e989ff8fc3bb19  mes5/i586/jasper-1.900.1-4.3mdvmes5.2.i586.rpm
 bccebb05fb7594cae930ba03ee527039  mes5/i586/libjasper1-1.900.1-4.3mdvmes5.2.i586.rpm
 35b631ab6c5f153c1e2d273142d385f3  mes5/i586/libjasper1-devel-1.900.1-4.3mdvmes5.2.i586.rpm
 c01ebaa0319a5bd480a69f3f7d84f35a  mes5/i586/libjasper1-static-devel-1.900.1-4.3mdvmes5.2.i586.rpm 
 8da90dd5afaeb2aaf09daad2f97d83ab  mes5/SRPMS/jasper-1.900.1-4.3mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 8c1aed6122fa87a6341ef2d8282f4390  mes5/x86_64/jasper-1.900.1-4.3mdvmes5.2.x86_64.rpm
 83d3051efaa4e26793bea89775e2d461  mes5/x86_64/lib64jasper1-1.900.1-4.3mdvmes5.2.x86_64.rpm
 9f7ed89204edddde7b443e7fac61fe2b  mes5/x86_64/lib64jasper1-devel-1.900.1-4.3mdvmes5.2.x86_64.rpm
 41d45d8a0ca083a26eed5b213cfd7a79  mes5/x86_64/lib64jasper1-static-devel-1.900.1-4.3mdvmes5.2.x86_64.rpm 
 8da90dd5afaeb2aaf09daad2f97d83ab  mes5/SRPMS/jasper-1.900.1-4.3mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.