Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:887409
HistoryDec 08, 2011 - 12:00 a.m.

JasPer memory corruption vulnerabilities

2011-12-0800:00:00
www.kb.cert.org
11

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.172 Low

EPSS

Percentile

96.1%

JSON

Overview

Some versions of JasPer contain multiple vulnerabilities that may allow a remote, unauthenticated attacker to execute arbitrary code.

Description

JasPer fails to properly decode marker segments and other sections in malformed JPEG2000 files. Malformed inputs can cause heap buffer overflows which in turn may result in execution of attacker-controlled code.

CVE-2011-4516: src/libjasper/jpc/jpc_cs.c: jpc_cox_getcompparms

jpc_cox_getcomparms is called as part of the decoding of a coding style default (COD) marker segment. The function populates a parameter struct (jpc_msparms_t) that is contained in a marker segment struct (jpc_ms_t). jpc_cox_getcompparms contains a loop that copies data from the input file to the jpc_msparms_t struct. The loop terminates on a value (numrlvls) derived from the input file:

for (i = 0; i < compparms->numrlvls; ++i) {
if (jpc_getuint8(in, &tmp)) {
jpc_cox_destroycompparms(compparms);
return -1;
}
compparms->rlvls[i].parwidthval = tmp & 0xf;
compparms->rlvls[i].parheightval = (tmp >> 4) & 0xf;
}
numrlvls is read from the input file. The attacker can control numrlvls to overflow the jpc_msparms_t struct and copy attacker-controlled data from the input file into a struct of callback functions (jpc_msops_s) that appears in jpc_ms_t (src/libjasper/jpc/jpc_cs.h) just after jpc_msparms_t:

typedef struct {

/* The type of marker segment. */
uint_fast16_t id;

/* The length of the marker segment. */
uint_fast16_t len;

/* The starting offset within the stream. */
uint_fast32_t off;

/* The parameters of the marker segment. */
jpc_msparms_t parms;

/* The marker segment operations. */
struct jpc_msops_s *ops;

} jpc_ms_t;

Any subsequent failures in decoding the marker segment will result in the destroyparms member of the callback struct being invoked as part of cleanup. If the attacker has overwritten this callback via the loop above, attacker-controlled values can be loaded into the program counter.

CVE-2011-4517: src/libjasper/jpc/jpc_cs.c: jpc_crg_getparms

jpc_crg_getparms is called as part of the decoding of a component registration (CRG) marker segment. This function populates a heap buffer with data derived from the input file (in).

The function contains an allocation size/type error. The heap buffer size is calculated using sizeof(uint_fast16_t) but the rest of the function assumes sizeof(jpc_crgcomp_t).

jpc_crgcomp_t *comp;
...
if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) {
return -1;
}
...
for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
++compno, ++comp) {
if (jpc_getuint16(in, &comp->hoff) ||
jpc_getuint16(in, &comp->voff)) {
jpc_crg_destroyparms(ms);
return -1;
}
}

The attacker can overwrite the bytes after crg->comp in memory with arbitrary data. This is a heap buffer overflow, which is generally considered exploitable.

There are additional security implications here as well, however. The loop above is controlled by cstate->numcomps (cstate as one member: numcomps). cstate is allocated in a calling function, and is often allocated just before crg->comp. On some platforms the heap chunk allocated for cstate is located just after the heap chunk allocated for crg->comp, separated by only 4 bytes of heap accounting info. The accounting info + cstate (8 bytes after crg->comp) can be overwritten with bytes from the input file via the loop above. In these cases, the attacker can place a large number in cstate->numcomps to make the loop above iterate past the expected bound of crg->comps and copy an arbitrary number of bytes from the input file into heap (a heap buffer overflow). This enables the attacker to perform well-known heap exploitations, as well as allowing the attacker to overwrite other active heap allocations such as the callback pointers referenced in the previous bug description.

Impact

By tricking a user into opening or previewing an image file in an application that decodes images with the JasPer library, an attacker can execute arbitrary code or cause a denial-of-service crash.

Solution

Apply an update

Users who obtain JasPer from a third-party vendor, such as their operating system vendor, should see the vendor information portion of this document for a partial list of affected vendors.

Please consider the following workarounds:

Avoid processing malicious image files

Turn off image preview features in file browsers and other applications that use the JasPer library. Avoid opening image attachments from untrusted or unrecognized sources.

Vendor Information

887409

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Artifex Software, Inc. Affected

Updated: June 14, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Affected

Notified: October 20, 2011 Updated: June 14, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Affected

Notified: October 20, 2011 Updated: December 08, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Affected

Notified: October 20, 2011 Updated: June 14, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Oracle Corporation Affected

Notified: October 20, 2011 Updated: March 02, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Red Hat, Inc. Affected

Notified: October 20, 2011 Updated: December 08, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Affected

Notified: October 20, 2011 Updated: December 08, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Affected

Notified: October 20, 2011 Updated: December 08, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Inc. __ Not Affected

Notified: October 20, 2011 Updated: December 08, 2011

Statement Date: October 22, 2011

Status

Not Affected

Vendor Statement

The library in question is not used in any version of OS X or iOS.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc. __ Not Affected

Notified: October 20, 2011 Updated: December 08, 2011

Statement Date: December 02, 2011

Status

Not Affected

Vendor Statement

Juniper Networks products are not susceptible to this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux __ Not Affected

Notified: October 20, 2011 Updated: December 08, 2011

Statement Date: December 05, 2011

Status

Not Affected

Vendor Statement

Our products do not use JasPer.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc. Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Google Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A. Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc. Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX Software Systems Inc. Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sun Microsystems, Inc. Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified: October 20, 2011 Updated: October 20, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 43 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base 9 AV:N/AC:M/Au:N/C:C/I:C/A:P
Temporal 7 E:POC/RL:OF/RC:C
Environmental 7.1 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

These vulnerabilities were discovered by Jonathan Foote of the CERT/CC.

This document was written by Jonathan Foote.

Other Information

CVE IDs: CVE-2011-4516, CVE-2011-4517
Severity Metric: 3.58 Date Public:

Related

nessus 30
suse 3
fedora 5
openvas 34
oraclelinux 2
securityvulns 2
gentoo 1
ubuntu 2
redhat 3
debian 1
centos 2
veracode 2
archlinux 1
freebsd 1
debiancve 2
ubuntucve 2
checkpoint_advisories 3
cve 4
prion 4
amazon 1
redhatcve 2
slackware 1
oracle 1
nessus
nessus
openSUSE Security Update : jasper (openSUSE-SU-2011:1328-1)
2014-06-13 00:00:00
Fedora 15 : jasper-1.900.1-18.fc15 (2011-16955)
2012-01-03 00:00:00
GLSA-201201-10 : JasPer: User-assisted execution of arbitrary code
2012-01-24 00:00:00
suse
suse
Security update for jasper (important)
2011-12-14 19:08:30
Security update for jasper (important)
2011-12-12 02:08:33
jasper (important)
2011-12-16 13:08:23
fedora
fedora
[SECURITY] Fedora 15 Update: jasper-1.900.1-18.fc15
2012-01-02 21:52:41
[SECURITY] Fedora 16 Update: jasper-1.900.1-18.fc16
2011-12-30 22:53:37
[SECURITY] Fedora 21 Update: mingw-jasper-1.900.1-24.fc21
2014-12-17 04:47:06
openvas
openvas
RedHat Update for jasper RHSA-2011:1807-01
2012-07-09 00:00:00
CentOS Update for jasper CESA-2011:1807 centos6
2012-07-30 00:00:00
Gentoo Security Advisory GLSA 201201-10 (JasPer)
2012-02-12 00:00:00
oraclelinux
oraclelinux
jasper security update
2011-12-14 00:00:00
netpbm security update
2011-12-12 00:00:00
securityvulns
securityvulns
JasPer library security vulnerabilities
2011-12-19 00:00:00
Oracle / Sun / People Soft / MySQL applications multiple security vulnerabilities
2012-03-10 00:00:00
gentoo
gentoo
JasPer: User-assisted execution of arbitrary code
2012-01-23 00:00:00
ubuntu
ubuntu
JasPer vulnerabilities
2011-12-20 00:00:00
Ghostscript vulnerabilities
2012-01-04 00:00:00
redhat
redhat
(RHSA-2011:1807) Important: jasper security update
2011-12-09 00:00:00
(RHSA-2011:1811) Important: netpbm security update
2011-12-12 00:00:00
(RHSA-2015:0698) Important: rhevm-spice-client security, bug fix, and enhancement update
2015-03-18 00:00:00
debian
debian
[SECURITY] [DSA 2371-1] jasper security update
2011-12-24 15:51:21
centos
centos
jasper security update
2011-12-22 15:46:17
netpbm security update
2011-12-12 22:16:22
veracode
veracode
Memory Corruption
2019-05-02 04:40:58
Denial Of Service (DoS) Or Remote Code Execution (RCE)
2019-05-02 04:40:58
archlinux
archlinux
jasper: arbitrary code execution
2014-12-19 00:00:00
freebsd
freebsd
jasper -- buffer overflow
2011-12-09 00:00:00
debiancve
debiancve
CVE-2011-4516
2011-12-15 03:57:00
CVE-2011-4517
2011-12-15 03:57:00
ubuntucve
ubuntucve
CVE-2011-4516
2011-12-14 00:00:00
CVE-2011-4517
2011-12-14 00:00:00
checkpoint_advisories
checkpoint_advisories
Oracle Outside In JPEG 2000 COD and COC Parameter Heap Buffer Overflow (CVE-2011-4516)
2012-08-27 00:00:00
Oracle Outside In JPEG 2000 Parameter Heap Buffer Overflow (CVE-2011-4516)
2012-12-13 00:00:00
Oracle Outside In JPEG 2000 CRG Segment Processing Heap Buffer Overflow (CVE-2011-4517)
2012-10-14 00:00:00
cve
cve
CVE-2011-4516
2011-12-15 03:57:00
CVE-2011-4517
2011-12-15 03:57:00
CVE-2016-8881
2017-01-13 16:59:00
prion
prion
Heap overflow
2011-12-15 03:57:00
Heap overflow
2011-12-15 03:57:00
Design/Logic Flaw
2017-01-13 16:59:00
amazon
amazon
Important: jasper
2011-12-12 13:45:00
redhatcve
redhatcve
CVE-2016-8881
2016-10-26 11:15:47
CVE-2016-8880
2016-10-26 10:47:53
slackware
slackware
[slackware-security] jasper
2015-10-29 22:48:48
oracle
oracle
Oracle Critical Patch Update - January 2012
2012-01-17 00:00:00

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.172 Low

EPSS

Percentile

96.1%

JSON
Related for VU:887409
nessus30suse3fedora5openvas34oraclelinux2securityvulns2gentoo1ubuntu2redhat3debian1centos2veracode2archlinux1freebsd1debiancve2ubuntucve2checkpoint_advisories3cve4prion4amazon1redhatcve2slackware1oracle1