ID FEDORA:BB13C6085FA1 Type fedora Reporter Fedora Modified 2016-10-16T18:55:11
Description
This package contains an implementation of the image compression standard JPEG-2000, Part 1. It consists of tools for conversion to and from the JP2 and JPC formats.
{"cve": [{"lastseen": "2020-10-03T12:10:42", "description": "The jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted JPEG 2000 image.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-02-08T19:59:00", "title": "CVE-2016-2089", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2089"], "modified": "2018-01-05T02:30:00", "cpe": ["cpe:/a:jasper_project:jasper:1.900.1"], "id": "CVE-2016-2089", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2089", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:jasper_project:jasper:1.900.1:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:34:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2089"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-07T00:00:00", "id": "OPENVAS:1361412562310872041", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872041", "type": "openvas", "title": "Fedora Update for jasper FEDORA-2016-39b00344ac", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for jasper FEDORA-2016-39b00344ac\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872041\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-07 05:25:27 +0100 (Wed, 07 Dec 2016)\");\n script_cve_id(\"CVE-2016-2089\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for jasper FEDORA-2016-39b00344ac\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jasper'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"jasper on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-39b00344ac\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGSK77EX2M3X2S4ZCQ2AE36AANMRZM5L\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"jasper\", rpm:\"jasper~1.900.3~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2017-07-24T12:55:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2089", "CVE-2016-1577", "CVE-2016-2116"], "description": "Several vulnerabilities were\ndiscovered in JasPer, a library for manipulating JPEG-2000 files. The Common\nVulnerabilities and Exposures project identifies the following problems:\n\nCVE-2016-1577\nJacob Baines discovered a double-free flaw in the\njas_iccattrval_destroy function. A remote attacker could exploit\nthis flaw to cause an application using the JasPer library to crash,\nor potentially, to execute arbitrary code with the privileges of the\nuser running the application.\n\nCVE-2016-2089\nThe Qihoo 360 Codesafe Team discovered a NULL pointer dereference\nflaw within the jas_matrix_clip function. A remote attacker could\nexploit this flaw to cause an application using the JasPer library\nto crash, resulting in a denial-of-service.\n\nCVE-2016-2116\nTyler Hicks discovered a memory leak flaw in the\njas_iccprof_createfrombuf function. A remote attacker could exploit\nthis flaw to cause the JasPer library to consume memory, resulting\nin a denial-of-service.", "modified": "2017-07-07T00:00:00", "published": "2016-03-06T00:00:00", "id": "OPENVAS:703508", "href": "http://plugins.openvas.org/nasl.php?oid=703508", "type": "openvas", "title": "Debian Security Advisory DSA 3508-1 (jasper - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3508.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3508-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703508);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-1577\", \"CVE-2016-2089\", \"CVE-2016-2116\");\n script_name(\"Debian Security Advisory DSA 3508-1 (jasper - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-03-06 00:00:00 +0100 (Sun, 06 Mar 2016)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3508.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"jasper on Debian Linux\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy),\nthese problems have been fixed in version 1.900.1-13+deb7u4.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1.900.1-debian1-2.4+deb8u1.\n\nWe recommend that you upgrade your jasper packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were\ndiscovered in JasPer, a library for manipulating JPEG-2000 files. The Common\nVulnerabilities and Exposures project identifies the following problems:\n\nCVE-2016-1577\nJacob Baines discovered a double-free flaw in the\njas_iccattrval_destroy function. A remote attacker could exploit\nthis flaw to cause an application using the JasPer library to crash,\nor potentially, to execute arbitrary code with the privileges of the\nuser running the application.\n\nCVE-2016-2089\nThe Qihoo 360 Codesafe Team discovered a NULL pointer dereference\nflaw within the jas_matrix_clip function. A remote attacker could\nexploit this flaw to cause an application using the JasPer library\nto crash, resulting in a denial-of-service.\n\nCVE-2016-2116\nTyler Hicks discovered a memory leak flaw in the\njas_iccprof_createfrombuf function. A remote attacker could exploit\nthis flaw to cause the JasPer library to consume memory, resulting\nin a denial-of-service.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed\nsoftware version using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libjasper-dev\", ver:\"1.900.1-13+deb7u4\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libjasper-runtime\", ver:\"1.900.1-13+deb7u4\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libjasper1\", ver:\"1.900.1-13+deb7u4\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libjasper-dev\", ver:\"1.900.1-debian1-2.4+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libjasper-runtime\", ver:\"1.900.1-debian1-2.4+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libjasper1:amd64\", ver:\"1.900.1-debian1-2.4+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libjasper1:i386\", ver:\"1.900.1-debian1-2.4+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:35:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2089", "CVE-2016-1577", "CVE-2016-2116"], "description": "Several vulnerabilities were\ndiscovered in JasPer, a library for manipulating JPEG-2000 files. The Common\nVulnerabilities and Exposures project identifies the following problems:\n\nCVE-2016-1577\nJacob Baines discovered a double-free flaw in the\njas_iccattrval_destroy function. A remote attacker could exploit\nthis flaw to cause an application using the JasPer library to crash,\nor potentially, to execute arbitrary code with the privileges of the\nuser running the application.\n\nCVE-2016-2089\nThe Qihoo 360 Codesafe Team discovered a NULL pointer dereference\nflaw within the jas_matrix_clip function. A remote attacker could\nexploit this flaw to cause an application using the JasPer library\nto crash, resulting in a denial-of-service.\n\nCVE-2016-2116\nTyler Hicks discovered a memory leak flaw in the\njas_iccprof_createfrombuf function. A remote attacker could exploit\nthis flaw to cause the JasPer library to consume memory, resulting\nin a denial-of-service.", "modified": "2019-03-18T00:00:00", "published": "2016-03-06T00:00:00", "id": "OPENVAS:1361412562310703508", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703508", "type": "openvas", "title": "Debian Security Advisory DSA 3508-1 (jasper - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3508.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Auto-generated from advisory DSA 3508-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703508\");\n script_version(\"$Revision: 14275 $\");\n script_cve_id(\"CVE-2016-1577\", \"CVE-2016-2089\", \"CVE-2016-2116\");\n script_name(\"Debian Security Advisory DSA 3508-1 (jasper - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-06 00:00:00 +0100 (Sun, 06 Mar 2016)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3508.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(7|8)\");\n script_tag(name:\"affected\", value:\"jasper on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (wheezy),\nthese problems have been fixed in version 1.900.1-13+deb7u4.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1.900.1-debian1-2.4+deb8u1.\n\nWe recommend that you upgrade your jasper packages.\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities were\ndiscovered in JasPer, a library for manipulating JPEG-2000 files. The Common\nVulnerabilities and Exposures project identifies the following problems:\n\nCVE-2016-1577\nJacob Baines discovered a double-free flaw in the\njas_iccattrval_destroy function. A remote attacker could exploit\nthis flaw to cause an application using the JasPer library to crash,\nor potentially, to execute arbitrary code with the privileges of the\nuser running the application.\n\nCVE-2016-2089\nThe Qihoo 360 Codesafe Team discovered a NULL pointer dereference\nflaw within the jas_matrix_clip function. A remote attacker could\nexploit this flaw to cause an application using the JasPer library\nto crash, resulting in a denial-of-service.\n\nCVE-2016-2116\nTyler Hicks discovered a memory leak flaw in the\njas_iccprof_createfrombuf function. A remote attacker could exploit\nthis flaw to cause the JasPer library to consume memory, resulting\nin a denial-of-service.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed\nsoftware version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libjasper-dev\", ver:\"1.900.1-13+deb7u4\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libjasper-runtime\", ver:\"1.900.1-13+deb7u4\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libjasper1\", ver:\"1.900.1-13+deb7u4\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libjasper-dev\", ver:\"1.900.1-debian1-2.4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libjasper-runtime\", ver:\"1.900.1-debian1-2.4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libjasper1:amd64\", ver:\"1.900.1-debian1-2.4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libjasper1:i386\", ver:\"1.900.1-debian1-2.4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2089", "CVE-2016-1577", "CVE-2016-2116"], "description": "Mageia Linux Local Security Checks mgasa-2016-0100", "modified": "2018-10-12T00:00:00", "published": "2016-03-08T00:00:00", "id": "OPENVAS:1361412562310131254", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131254", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2016-0100", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2016-0100.nasl 11856 2018-10-12 07:45:29Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://www.solinor.com\n#\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131254\");\n script_version(\"$Revision: 11856 $\");\n script_tag(name:\"creation_date\", value:\"2016-03-08 07:15:18 +0200 (Tue, 08 Mar 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 09:45:29 +0200 (Fri, 12 Oct 2018) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2016-0100\");\n script_tag(name:\"insight\", value:\"Updated jasper packages fix security vulnerabilities: The jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted JPEG 2000 image (CVE-2016-2089). Jacob Baines discovered that a double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file (CVE-2016-1577). Tyler Hicks discovered that a memory leak in the jas_iccprof_createfrombuf function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted ICC color profile in a JPEG 2000 image file (CVE-2016-2116).\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2016-0100.html\");\n script_cve_id(\"CVE-2016-1577\", \"CVE-2016-2089\", \"CVE-2016-2116\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2016-0100\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"jasper\", rpm:\"jasper~1.900.1~20.4.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8654", "CVE-2016-9591", "CVE-2016-9560", "CVE-2016-8882", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-10251", "CVE-2016-1867", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-10249"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-05-19T00:00:00", "id": "OPENVAS:1361412562310843178", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843178", "type": "openvas", "title": "Ubuntu Update for jasper USN-3295-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for jasper USN-3295-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843178\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-19 07:10:16 +0200 (Fri, 19 May 2017)\");\n script_cve_id(\"CVE-2016-10249\", \"CVE-2016-10251\", \"CVE-2016-1867\", \"CVE-2016-2089\",\n \"CVE-2016-8654\", \"CVE-2016-8691\", \"CVE-2016-8692\", \"CVE-2016-8693\",\n \"CVE-2016-8882\", \"CVE-2016-9560\", \"CVE-2016-9591\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for jasper USN-3295-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jasper'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that JasPer incorrectly\nhandled certain malformed JPEG-2000 image files. If a user or automated system\nusing JasPer were tricked into opening a specially crafted image, an attacker\ncould exploit this to cause a denial of service or possibly execute code with the\nprivileges of the user invoking the program.\");\n script_tag(name:\"affected\", value:\"jasper on Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3295-1\");\n script_xref(name:\"URL\", value:\"https://www.ubuntu.com/usn/usn-3295-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libjasper1:amd64\", ver:\"1.900.1-14ubuntu3.4\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libjasper1:i386\", ver:\"1.900.1-14ubuntu3.4\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libjasper1:amd64\", ver:\"1.900.1-debian1-2.4ubuntu1.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libjasper1:i386\", ver:\"1.900.1-debian1-2.4ubuntu1.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8880", "CVE-2016-8887", "CVE-2016-8881", "CVE-2016-8884", "CVE-2016-8885", "CVE-2016-8883", "CVE-2016-8882", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-8690", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-8886"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-02T00:00:00", "id": "OPENVAS:1361412562310810173", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810173", "type": "openvas", "title": "Fedora Update for jasper FEDORA-2016-e0f0d48142", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for jasper FEDORA-2016-e0f0d48142\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810173\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-02 14:06:19 +0100 (Fri, 02 Dec 2016)\");\n script_cve_id(\"CVE-2016-8883\", \"CVE-2016-8882\", \"CVE-2016-8881\", \"CVE-2016-8880\",\n \"CVE-2016-8884\", \"CVE-2016-8885\", \"CVE-2016-8887\", \"CVE-2016-8886\",\n \"CVE-2016-8690\", \"CVE-2016-8691\", \"CVE-2016-8692\", \"CVE-2016-8693\",\n \"CVE-2016-2089\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for jasper FEDORA-2016-e0f0d48142\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jasper'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"jasper on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-e0f0d48142\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGI2FZQLOTSZI3VA4ECJERI74SMNQDL4\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"jasper\", rpm:\"jasper~1.900.13~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8880", "CVE-2016-8887", "CVE-2016-8881", "CVE-2016-8884", "CVE-2016-8885", "CVE-2016-8883", "CVE-2016-8882", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-8690", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-8886"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-02T00:00:00", "id": "OPENVAS:1361412562310810199", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810199", "type": "openvas", "title": "Fedora Update for jasper FEDORA-2016-6c789ba91d", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for jasper FEDORA-2016-6c789ba91d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810199\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-02 14:06:07 +0100 (Fri, 02 Dec 2016)\");\n script_cve_id(\"CVE-2016-8883\", \"CVE-2016-8882\", \"CVE-2016-8881\", \"CVE-2016-8880\",\n \"CVE-2016-8884\", \"CVE-2016-8885\", \"CVE-2016-8887\", \"CVE-2016-8886\",\n \"CVE-2016-8690\", \"CVE-2016-8691\", \"CVE-2016-8692\", \"CVE-2016-8693\",\n \"CVE-2016-2089\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for jasper FEDORA-2016-6c789ba91d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jasper'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"jasper on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-6c789ba91d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22FCKKHQCQ3S6TZY5G44EFDTMWOJXJRD\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"jasper\", rpm:\"jasper~1.900.13~1.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8654", "CVE-2016-9262", "CVE-2016-9591", "CVE-2016-9560", "CVE-2016-8884", "CVE-2016-8885", "CVE-2016-9394", "CVE-2016-9391", "CVE-2016-8883", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-8690", "CVE-2016-9387", "CVE-2016-9390", "CVE-2015-5203", "CVE-2016-10248", "CVE-2016-10251", "CVE-2016-1867", "CVE-2016-9583", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-1577", "CVE-2016-9389", "CVE-2016-9393", "CVE-2015-5221", "CVE-2016-9600", "CVE-2016-9392", "CVE-2016-2116", "CVE-2016-10249", "CVE-2016-9388"], "description": "Check the version of jasper", "modified": "2019-03-08T00:00:00", "published": "2017-05-16T00:00:00", "id": "OPENVAS:1361412562310882713", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882713", "type": "openvas", "title": "CentOS Update for jasper CESA-2017:1208 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for jasper CESA-2017:1208 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882713\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-16 06:50:02 +0200 (Tue, 16 May 2017)\");\n script_cve_id(\"CVE-2015-5203\", \"CVE-2015-5221\", \"CVE-2016-10248\", \"CVE-2016-10249\",\n \"CVE-2016-10251\", \"CVE-2016-1577\", \"CVE-2016-1867\", \"CVE-2016-2089\",\n \"CVE-2016-2116\", \"CVE-2016-8654\", \"CVE-2016-8690\", \"CVE-2016-8691\",\n \"CVE-2016-8692\", \"CVE-2016-8693\", \"CVE-2016-8883\", \"CVE-2016-8884\",\n \"CVE-2016-8885\", \"CVE-2016-9262\", \"CVE-2016-9387\", \"CVE-2016-9388\",\n \"CVE-2016-9389\", \"CVE-2016-9390\", \"CVE-2016-9391\", \"CVE-2016-9392\",\n \"CVE-2016-9393\", \"CVE-2016-9394\", \"CVE-2016-9560\", \"CVE-2016-9583\",\n \"CVE-2016-9591\", \"CVE-2016-9600\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for jasper CESA-2017:1208 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of jasper\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"JasPer is an implementation of Part 1 of\n the JPEG 2000 image compression standard.\n\nSecurity Fix(es):\n\nMultiple flaws were found in the way JasPer decoded JPEG 2000 image files.\nA specially crafted file could cause an application using JasPer to crash\nor, possibly, execute arbitrary code.\n\n\nMultiple flaws were found in the way JasPer decoded JPEG 2000 image files.\nA specially crafted file could cause an application using JasPer to crash.\n\n\nRed Hat would like to thank Liu Bingchang (IIE) for reporting\");\n script_tag(name:\"affected\", value:\"jasper on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:1208\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-May/022408.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"jasper\", rpm:\"jasper~1.900.1~21.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"jasper-devel\", rpm:\"jasper-devel~1.900.1~21.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"jasper-libs\", rpm:\"jasper-libs~1.900.1~21.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"jasper-utils\", rpm:\"jasper-utils~1.900.1~21.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:38:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8654", "CVE-2016-9262", "CVE-2016-9591", "CVE-2016-9560", "CVE-2016-8884", "CVE-2016-8885", "CVE-2016-9394", "CVE-2016-9391", "CVE-2016-8883", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-8690", "CVE-2016-9387", "CVE-2016-9390", "CVE-2015-5203", "CVE-2016-10248", "CVE-2016-10251", "CVE-2016-1867", "CVE-2016-9583", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-1577", "CVE-2016-9389", "CVE-2016-9393", "CVE-2015-5221", "CVE-2016-9600", "CVE-2016-9392", "CVE-2016-2116", "CVE-2016-10249", "CVE-2016-9388"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171094", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171094", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for jasper (EulerOS-SA-2017-1094)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1094\");\n script_version(\"2020-01-23T10:49:58+0000\");\n script_cve_id(\"CVE-2015-5203\", \"CVE-2015-5221\", \"CVE-2016-10248\", \"CVE-2016-10249\", \"CVE-2016-10251\", \"CVE-2016-1577\", \"CVE-2016-1867\", \"CVE-2016-2089\", \"CVE-2016-2116\", \"CVE-2016-8654\", \"CVE-2016-8690\", \"CVE-2016-8691\", \"CVE-2016-8692\", \"CVE-2016-8693\", \"CVE-2016-8883\", \"CVE-2016-8884\", \"CVE-2016-8885\", \"CVE-2016-9262\", \"CVE-2016-9387\", \"CVE-2016-9388\", \"CVE-2016-9389\", \"CVE-2016-9390\", \"CVE-2016-9391\", \"CVE-2016-9392\", \"CVE-2016-9393\", \"CVE-2016-9394\", \"CVE-2016-9560\", \"CVE-2016-9583\", \"CVE-2016-9591\", \"CVE-2016-9600\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:49:58 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:49:58 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for jasper (EulerOS-SA-2017-1094)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1094\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1094\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'jasper' package(s) announced via the EulerOS-SA-2017-1094 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)\n\nMultiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)\");\n\n script_tag(name:\"affected\", value:\"'jasper' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"jasper-libs\", rpm:\"jasper-libs~1.900.1~30\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8654", "CVE-2016-9262", "CVE-2016-9591", "CVE-2016-9560", "CVE-2016-8884", "CVE-2016-8885", "CVE-2016-9394", "CVE-2016-9391", "CVE-2016-8883", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-8690", "CVE-2016-9387", "CVE-2016-9390", "CVE-2015-5203", "CVE-2016-10248", "CVE-2016-10251", "CVE-2016-1867", "CVE-2016-9583", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-1577", "CVE-2016-9389", "CVE-2016-9393", "CVE-2015-5221", "CVE-2016-9600", "CVE-2016-9392", "CVE-2016-2116", "CVE-2016-10249", "CVE-2016-9388"], "description": "Check the version of jasper", "modified": "2019-03-08T00:00:00", "published": "2017-05-16T00:00:00", "id": "OPENVAS:1361412562310882714", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882714", "type": "openvas", "title": "CentOS Update for jasper CESA-2017:1208 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for jasper CESA-2017:1208 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882714\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-16 06:51:19 +0200 (Tue, 16 May 2017)\");\n script_cve_id(\"CVE-2015-5203\", \"CVE-2015-5221\", \"CVE-2016-10248\", \"CVE-2016-10249\",\n \"CVE-2016-10251\", \"CVE-2016-1577\", \"CVE-2016-1867\", \"CVE-2016-2089\",\n \"CVE-2016-2116\", \"CVE-2016-8654\", \"CVE-2016-8690\", \"CVE-2016-8691\",\n \"CVE-2016-8692\", \"CVE-2016-8693\", \"CVE-2016-8883\", \"CVE-2016-8884\",\n \"CVE-2016-8885\", \"CVE-2016-9262\", \"CVE-2016-9387\", \"CVE-2016-9388\",\n \"CVE-2016-9389\", \"CVE-2016-9390\", \"CVE-2016-9391\", \"CVE-2016-9392\",\n \"CVE-2016-9393\", \"CVE-2016-9394\", \"CVE-2016-9560\", \"CVE-2016-9583\",\n \"CVE-2016-9591\", \"CVE-2016-9600\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for jasper CESA-2017:1208 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of jasper\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"JasPer is an implementation of Part 1 of\nthe JPEG 2000 image compression standard.\n\n\nSecurity Fix(es):\n\n\nMultiple flaws were found in the way JasPer decoded JPEG 2000 image files.\nA specially crafted file could cause an application using JasPer to crash\nor, possibly, execute arbitrary code.\n\n\nMultiple flaws were found in the way JasPer decoded JPEG 2000 image files.\nA specially crafted file could cause an application using JasPer to crash.\n\n\nRed Hat would like to thank Liu Bingchang (IIE) for reporting\nCVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600 Gustavo\nGrieco for reporting CVE-2015-5203 and Josselin Feist for reporting\nCVE-2015-5221.\");\n script_tag(name:\"affected\", value:\"jasper on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:1208\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-May/022411.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"jasper\", rpm:\"jasper~1.900.1~30.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"jasper-devel\", rpm:\"jasper-devel~1.900.1~30.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"jasper-libs\", rpm:\"jasper-libs~1.900.1~30.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"jasper-utils\", rpm:\"jasper-utils~1.900.1~30.el7_3\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-12T10:14:09", "description": "New version of jasper is available (1.900.3)\n\n----\n\nSecurity fix for CVE-2016-2089\n\n----\n\nNew version of jasper is available.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 17, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2016-11-15T00:00:00", "title": "Fedora 25 : jasper (2016-39b00344ac)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2089"], "modified": "2016-11-15T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:25", "p-cpe:/a:fedoraproject:fedora:jasper"], "id": "FEDORA_2016-39B00344AC.NASL", "href": "https://www.tenable.com/plugins/nessus/94792", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-39b00344ac.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94792);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-2089\");\n script_xref(name:\"FEDORA\", value:\"2016-39b00344ac\");\n\n script_name(english:\"Fedora 25 : jasper (2016-39b00344ac)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New version of jasper is available (1.900.3)\n\n----\n\nSecurity fix for CVE-2016-2089\n\n----\n\nNew version of jasper is available.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-39b00344ac\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jasper package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jasper\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"jasper-1.900.3-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jasper\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-20T12:29:57", "description": "This update for jasper fixes the following issues :\n\n - CVE-2016-2089: Specially crafted JPEG 2000 may cause\n JasPer to crash (boo#963983)", "edition": 18, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2016-02-11T00:00:00", "title": "openSUSE Security Update : jasper (openSUSE-2016-180)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2089"], "modified": "2016-02-11T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libjasper-devel", "p-cpe:/a:novell:opensuse:jasper-debuginfo", "p-cpe:/a:novell:opensuse:jasper", "cpe:/o:novell:opensuse:13.2", "p-cpe:/a:novell:opensuse:libjasper1", "p-cpe:/a:novell:opensuse:libjasper1-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libjasper1-32bit", "p-cpe:/a:novell:opensuse:jasper-debugsource", "p-cpe:/a:novell:opensuse:libjasper1-debuginfo"], "id": "OPENSUSE-2016-180.NASL", "href": "https://www.tenable.com/plugins/nessus/88686", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-180.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88686);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-2089\");\n\n script_name(english:\"openSUSE Security Update : jasper (openSUSE-2016-180)\");\n script_summary(english:\"Check for the openSUSE-2016-180 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for jasper fixes the following issues :\n\n - CVE-2016-2089: Specially crafted JPEG 2000 may cause\n JasPer to crash (boo#963983)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=963983\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jasper packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jasper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jasper-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jasper-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjasper-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjasper1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjasper1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjasper1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjasper1-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"jasper-1.900.1-163.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"jasper-debuginfo-1.900.1-163.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"jasper-debugsource-1.900.1-163.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libjasper-devel-1.900.1-163.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libjasper1-1.900.1-163.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libjasper1-debuginfo-1.900.1-163.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"libjasper1-32bit-1.900.1-163.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"libjasper1-debuginfo-32bit-1.900.1-163.21.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jasper / jasper-debuginfo / jasper-debugsource / libjasper-devel / etc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-20T12:29:58", "description": "This update fixes the following issue :\n\n - CVE-2016-2089: invalid read in the JasPer's\n jas_matrix_clip() function (bsc#963983)", "edition": 19, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2016-02-12T00:00:00", "title": "openSUSE Security Update : jasper (openSUSE-2016-185)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2089"], "modified": "2016-02-12T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libjasper-devel", "p-cpe:/a:novell:opensuse:jasper-debuginfo", "p-cpe:/a:novell:opensuse:jasper", "p-cpe:/a:novell:opensuse:libjasper1", "p-cpe:/a:novell:opensuse:libjasper1-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libjasper1-32bit", "p-cpe:/a:novell:opensuse:jasper-debugsource", "cpe:/o:novell:opensuse:13.1", "p-cpe:/a:novell:opensuse:libjasper1-debuginfo"], "id": "OPENSUSE-2016-185.NASL", "href": "https://www.tenable.com/plugins/nessus/88705", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-185.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88705);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-2089\");\n\n script_name(english:\"openSUSE Security Update : jasper (openSUSE-2016-185)\");\n script_summary(english:\"Check for the openSUSE-2016-185 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes the following issue :\n\n - CVE-2016-2089: invalid read in the JasPer's\n jas_matrix_clip() function (bsc#963983)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=963983\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jasper packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jasper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jasper-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jasper-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjasper-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjasper1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjasper1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjasper1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjasper1-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"jasper-1.900.1-160.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"jasper-debuginfo-1.900.1-160.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"jasper-debugsource-1.900.1-160.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libjasper-devel-1.900.1-160.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libjasper1-1.900.1-160.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libjasper1-debuginfo-1.900.1-160.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libjasper1-32bit-1.900.1-160.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libjasper1-debuginfo-32bit-1.900.1-160.19.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jasper / jasper-debuginfo / jasper-debugsource / libjasper-devel / etc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T09:49:28", "description": "Several vulnerabilities were discovered in JasPer, a library for\nmanipulating JPEG-2000 files. The Common Vulnerabilities and Exposures\nproject identifies the following problems :\n\n - CVE-2016-1577\n Jacob Baines discovered a double-free flaw in the\n jas_iccattrval_destroy function. A remote attacker could\n exploit this flaw to cause an application using the\n JasPer library to crash, or potentially, to execute\n arbitrary code with the privileges of the user running\n the application.\n\n - CVE-2016-2089\n The Qihoo 360 Codesafe Team discovered a NULL pointer\n dereference flaw within the jas_matrix_clip function. A\n remote attacker could exploit this flaw to cause an\n application using the JasPer library to crash, resulting\n in a denial-of-service.\n\n - CVE-2016-2116\n Tyler Hicks discovered a memory leak flaw in the\n jas_iccprof_createfrombuf function. A remote attacker\n could exploit this flaw to cause the JasPer library to\n consume memory, resulting in a denial-of-service.", "edition": 22, "cvss3": {"score": 7.6, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H"}, "published": "2016-03-07T00:00:00", "title": "Debian DSA-3508-1 : jasper - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2089", "CVE-2016-1577", "CVE-2016-2116"], "modified": "2016-03-07T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:jasper"], "id": "DEBIAN_DSA-3508.NASL", "href": "https://www.tenable.com/plugins/nessus/89698", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3508. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89698);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-1577\", \"CVE-2016-2089\", \"CVE-2016-2116\");\n script_xref(name:\"DSA\", value:\"3508\");\n\n script_name(english:\"Debian DSA-3508-1 : jasper - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities were discovered in JasPer, a library for\nmanipulating JPEG-2000 files. The Common Vulnerabilities and Exposures\nproject identifies the following problems :\n\n - CVE-2016-1577\n Jacob Baines discovered a double-free flaw in the\n jas_iccattrval_destroy function. A remote attacker could\n exploit this flaw to cause an application using the\n JasPer library to crash, or potentially, to execute\n arbitrary code with the privileges of the user running\n the application.\n\n - CVE-2016-2089\n The Qihoo 360 Codesafe Team discovered a NULL pointer\n dereference flaw within the jas_matrix_clip function. A\n remote attacker could exploit this flaw to cause an\n application using the JasPer library to crash, resulting\n in a denial-of-service.\n\n - CVE-2016-2116\n Tyler Hicks discovered a memory leak flaw in the\n jas_iccprof_createfrombuf function. A remote attacker\n could exploit this flaw to cause the JasPer library to\n consume memory, resulting in a denial-of-service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812978\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816625\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816626\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-1577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-2089\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-2116\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/jasper\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/jasper\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3508\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the jasper packages.\n\nFor the oldstable distribution (wheezy), these problems have been\nfixed in version 1.900.1-13+deb7u4.\n\nFor the stable distribution (jessie), these problems have been fixed\nin version 1.900.1-debian1-2.4+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:jasper\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libjasper-dev\", reference:\"1.900.1-13+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libjasper-runtime\", reference:\"1.900.1-13+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libjasper1\", reference:\"1.900.1-13+deb7u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libjasper-dev\", reference:\"1.900.1-debian1-2.4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libjasper-runtime\", reference:\"1.900.1-debian1-2.4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libjasper1\", reference:\"1.900.1-debian1-2.4+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T10:46:41", "description": "oCERT reports :\n\nThe library is affected by a double-free vulnerability in function\njas_iccattrval_destroy() as well as a heap-based buffer overflow in\nfunction jp2_decode(). A specially crafted jp2 file can be used to\ntrigger the vulnerabilities.\n\noCERT reports :\n\nThe library is affected by an off-by-one error in a buffer boundary\ncheck in jpc_dec_process_sot(), leading to a heap based buffer\noverflow, as well as multiple unrestricted stack memory use issues in\njpc_qmfb.c, leading to stack overflow. A specially crafted jp2 file\ncan be used to trigger the vulnerabilities.\n\noCERT reports :\n\nMultiple off-by-one flaws, leading to heap-based buffer overflows,\nwere found in the way JasPer decoded JPEG 2000 files. A specially\ncrafted file could cause an application using JasPer to crash or,\npossibly, execute arbitrary code.\n\nlimingxing reports :\n\nA vulnerability was found in the way the JasPer's jas_matrix_clip()\nfunction parses certain JPEG 2000 image files. A specially crafted\nfile could cause an application using JasPer to crash.", "edition": 28, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2016-02-22T00:00:00", "title": "FreeBSD : jasper -- multiple vulnerabilities (006e3b7c-d7d7-11e5-b85f-0018fe623f2b)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8158", "CVE-2014-8137", "CVE-2014-8138", "CVE-2014-9029", "CVE-2016-2089", "CVE-2014-8157"], "modified": "2016-02-22T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:jasper"], "id": "FREEBSD_PKG_006E3B7CD7D711E5B85F0018FE623F2B.NASL", "href": "https://www.tenable.com/plugins/nessus/88875", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88875);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2014-8137\", \"CVE-2014-8138\", \"CVE-2014-8157\", \"CVE-2014-8158\", \"CVE-2014-9029\", \"CVE-2016-2089\");\n\n script_name(english:\"FreeBSD : jasper -- multiple vulnerabilities (006e3b7c-d7d7-11e5-b85f-0018fe623f2b)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"oCERT reports :\n\nThe library is affected by a double-free vulnerability in function\njas_iccattrval_destroy() as well as a heap-based buffer overflow in\nfunction jp2_decode(). A specially crafted jp2 file can be used to\ntrigger the vulnerabilities.\n\noCERT reports :\n\nThe library is affected by an off-by-one error in a buffer boundary\ncheck in jpc_dec_process_sot(), leading to a heap based buffer\noverflow, as well as multiple unrestricted stack memory use issues in\njpc_qmfb.c, leading to stack overflow. A specially crafted jp2 file\ncan be used to trigger the vulnerabilities.\n\noCERT reports :\n\nMultiple off-by-one flaws, leading to heap-based buffer overflows,\nwere found in the way JasPer decoded JPEG 2000 files. A specially\ncrafted file could cause an application using JasPer to crash or,\npossibly, execute arbitrary code.\n\nlimingxing reports :\n\nA vulnerability was found in the way the JasPer's jas_matrix_clip()\nfunction parses certain JPEG 2000 image files. A specially crafted\nfile could cause an application using JasPer to crash.\"\n );\n # http://www.ocert.org/advisories/ocert-2014-012.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://ocert.org/advisories/ocert-2014-012.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1173157\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1173162\"\n );\n # http://www.ocert.org/advisories/ocert-2015-001.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://ocert.org/advisories/ocert-2015-001.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1179282\"\n );\n # http://www.ocert.org/advisories/ocert-2014-009.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://ocert.org/advisories/ocert-2014-009.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1167537\"\n );\n # http://seclists.org/oss-sec/2016/q1/233\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/oss-sec/2016/q1/233\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1302636\"\n );\n # https://vuxml.freebsd.org/freebsd/006e3b7c-d7d7-11e5-b85f-0018fe623f2b.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c1386995\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jasper\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"jasper<1.900.1_16\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T06:45:04", "description": "It was discovered that JasPer incorrectly handled certain malformed\nJPEG-2000 image files. If a user or automated system using JasPer were\ntricked into opening a specially crafted image, an attacker could\nexploit this to cause a denial of service or possibly execute code\nwith the privileges of the user invoking the program.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-05-19T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS : jasper vulnerabilities (USN-3295-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8654", "CVE-2016-9591", "CVE-2016-9560", "CVE-2016-8882", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-10251", "CVE-2016-1867", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-10249"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:libjasper1", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3295-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100294", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3295-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100294);\n script_version(\"3.6\");\n script_cvs_date(\"Date: 2019/09/18 12:31:47\");\n\n script_cve_id(\"CVE-2016-10249\", \"CVE-2016-10251\", \"CVE-2016-1867\", \"CVE-2016-2089\", \"CVE-2016-8654\", \"CVE-2016-8691\", \"CVE-2016-8692\", \"CVE-2016-8693\", \"CVE-2016-8882\", \"CVE-2016-9560\", \"CVE-2016-9591\");\n script_xref(name:\"USN\", value:\"3295-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS : jasper vulnerabilities (USN-3295-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that JasPer incorrectly handled certain malformed\nJPEG-2000 image files. If a user or automated system using JasPer were\ntricked into opening a specially crafted image, an attacker could\nexploit this to cause a denial of service or possibly execute code\nwith the privileges of the user invoking the program.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3295-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libjasper1 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libjasper1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libjasper1\", pkgver:\"1.900.1-14ubuntu3.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libjasper1\", pkgver:\"1.900.1-debian1-2.4ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libjasper1\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:14:53", "description": "This update contains security fix for CVE-2016-8883, CVE-2016-8882,\nCVE-2016-8881, CVE-2016-8880, CVE-2016-8884, CVE-2016-8885,\nCVE-2016-8887, CVE-2016-8886.\n\n----\n\nNew version of jasper is available (jasper-1.900.13). Security fix for\nCVE-2016-8690, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693.\n\n----\n\nNew version of jasper is available (1.900.3)\n\n----\n\nSecurity fix for CVE-2016-2089\n\n----\n\nNew version of jasper is available.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-11-10T00:00:00", "title": "Fedora 24 : jasper (2016-e0f0d48142)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8880", "CVE-2016-8887", "CVE-2016-8881", "CVE-2016-8884", "CVE-2016-8885", "CVE-2016-8883", "CVE-2016-8882", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-8690", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-8886"], "modified": "2016-11-10T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:jasper", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-E0F0D48142.NASL", "href": "https://www.tenable.com/plugins/nessus/94662", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-e0f0d48142.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94662);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-2089\", \"CVE-2016-8690\", \"CVE-2016-8691\", \"CVE-2016-8692\", \"CVE-2016-8693\", \"CVE-2016-8880\", \"CVE-2016-8881\", \"CVE-2016-8882\", \"CVE-2016-8883\", \"CVE-2016-8884\", \"CVE-2016-8885\", \"CVE-2016-8886\", \"CVE-2016-8887\");\n script_xref(name:\"FEDORA\", value:\"2016-e0f0d48142\");\n\n script_name(english:\"Fedora 24 : jasper (2016-e0f0d48142)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update contains security fix for CVE-2016-8883, CVE-2016-8882,\nCVE-2016-8881, CVE-2016-8880, CVE-2016-8884, CVE-2016-8885,\nCVE-2016-8887, CVE-2016-8886.\n\n----\n\nNew version of jasper is available (jasper-1.900.13). Security fix for\nCVE-2016-8690, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693.\n\n----\n\nNew version of jasper is available (1.900.3)\n\n----\n\nSecurity fix for CVE-2016-2089\n\n----\n\nNew version of jasper is available.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-e0f0d48142\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jasper package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jasper\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"jasper-1.900.13-1.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jasper\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:14:22", "description": "This update contains security fix for CVE-2016-8883, CVE-2016-8882,\nCVE-2016-8881, CVE-2016-8880, CVE-2016-8884, CVE-2016-8885,\nCVE-2016-8887, CVE-2016-8886.\n\n----\n\nNew version of jasper is available (jasper-1.900.13). Security fix for\nCVE-2016-8690, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693.\n\n----\n\nNew version of jasper is available (1.900.3)\n\n----\n\nSecurity fix for CVE-2016-2089\n\n----\n\nNew version of jasper is available.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-11-11T00:00:00", "title": "Fedora 23 : jasper (2016-6c789ba91d)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8880", "CVE-2016-8887", "CVE-2016-8881", "CVE-2016-8884", "CVE-2016-8885", "CVE-2016-8883", "CVE-2016-8882", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-8690", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-8886"], "modified": "2016-11-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:jasper", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-6C789BA91D.NASL", "href": "https://www.tenable.com/plugins/nessus/94689", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-6c789ba91d.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94689);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-2089\", \"CVE-2016-8690\", \"CVE-2016-8691\", \"CVE-2016-8692\", \"CVE-2016-8693\", \"CVE-2016-8880\", \"CVE-2016-8881\", \"CVE-2016-8882\", \"CVE-2016-8883\", \"CVE-2016-8884\", \"CVE-2016-8885\", \"CVE-2016-8886\", \"CVE-2016-8887\");\n script_xref(name:\"FEDORA\", value:\"2016-6c789ba91d\");\n\n script_name(english:\"Fedora 23 : jasper (2016-6c789ba91d)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update contains security fix for CVE-2016-8883, CVE-2016-8882,\nCVE-2016-8881, CVE-2016-8880, CVE-2016-8884, CVE-2016-8885,\nCVE-2016-8887, CVE-2016-8886.\n\n----\n\nNew version of jasper is available (jasper-1.900.13). Security fix for\nCVE-2016-8690, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693.\n\n----\n\nNew version of jasper is available (1.900.3)\n\n----\n\nSecurity fix for CVE-2016-2089\n\n----\n\nNew version of jasper is available.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-6c789ba91d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jasper package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jasper\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"jasper-1.900.13-1.fc23\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jasper\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T14:46:42", "description": "This update for jasper fixes the following issues: Security fixes :\n\n - CVE-2016-8887: NULL pointer dereference in\n jp2_colr_destroy (jp2_cod.c) (bsc#1006836)\n\n - CVE-2016-8886: memory allocation failure in jas_malloc\n (jas_malloc.c) (bsc#1006599)\n\n - CVE-2016-8884,CVE-2016-8885: two NULL pointer\n dereferences in bmp_getdata (incomplete fix for\n CVE-2016-8690) (bsc#1007009)\n\n - CVE-2016-8883: assert in jpc_dec_tiledecode()\n (bsc#1006598)\n\n - CVE-2016-8882: segfault / NULL pointer access in\n jpc_pi_destroy (bsc#1006597)\n\n - CVE-2016-8881: Heap overflow in jpc_getuint16()\n (bsc#1006593)\n\n - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()\n (bsc#1006591)\n\n - CVE-2016-8693: Double free vulnerability in mem_close\n (bsc#1005242)\n\n - CVE-2016-8691, CVE-2016-8692: Divide by zero in\n jpc_dec_process_siz (bsc#1005090)\n\n - CVE-2016-8690: NULL pointer dereference in bmp_getdata\n triggered by crafted BMP image (bsc#1005084)\n\n - CVE-2016-2089: invalid read in the JasPer's\n jas_matrix_clip() function (bsc#963983)\n\n - CVE-2016-1867: Out-of-bounds Read in the JasPer's\n jpc_pi_nextcprl() function (bsc#961886)\n\n - CVE-2016-1577, CVE-2016-2116: double free vulnerability\n in the jas_iccattrval_destroy function (bsc#968373)\n\n - CVE-2015-5221: Use-after-free (and double-free) in\n Jasper JPEG-200 (bsc#942553)\n\n - CVE-2015-5203: Double free corruption in JasPer\n JPEG-2000 implementation (bsc#941919)\n\n - CVE-2008-3522: multiple integer overflows (bsc#392410)\n\n - bsc#1006839: NULL pointer dereference in\n jp2_colr_destroy (jp2_cod.c) (incomplete fix for\n CVE-2016-8887)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-11-11T00:00:00", "title": "SUSE SLES11 Security Update : jasper (SUSE-SU-2016:2776-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8880", "CVE-2016-8887", "CVE-2016-8881", "CVE-2016-8884", "CVE-2008-3522", "CVE-2016-8885", "CVE-2016-8883", "CVE-2016-8882", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-8690", "CVE-2015-5203", "CVE-2016-1867", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-1577", "CVE-2015-5221", "CVE-2016-2116", "CVE-2016-8886"], "modified": "2016-11-11T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:libjasper"], "id": "SUSE_SU-2016-2776-1.NASL", "href": "https://www.tenable.com/plugins/nessus/94729", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:2776-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94729);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2008-3522\", \"CVE-2015-5203\", \"CVE-2015-5221\", \"CVE-2016-1577\", \"CVE-2016-1867\", \"CVE-2016-2089\", \"CVE-2016-2116\", \"CVE-2016-8690\", \"CVE-2016-8691\", \"CVE-2016-8692\", \"CVE-2016-8693\", \"CVE-2016-8880\", \"CVE-2016-8881\", \"CVE-2016-8882\", \"CVE-2016-8883\", \"CVE-2016-8884\", \"CVE-2016-8885\", \"CVE-2016-8886\", \"CVE-2016-8887\");\n script_bugtraq_id(31470);\n\n script_name(english:\"SUSE SLES11 Security Update : jasper (SUSE-SU-2016:2776-1)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for jasper fixes the following issues: Security fixes :\n\n - CVE-2016-8887: NULL pointer dereference in\n jp2_colr_destroy (jp2_cod.c) (bsc#1006836)\n\n - CVE-2016-8886: memory allocation failure in jas_malloc\n (jas_malloc.c) (bsc#1006599)\n\n - CVE-2016-8884,CVE-2016-8885: two NULL pointer\n dereferences in bmp_getdata (incomplete fix for\n CVE-2016-8690) (bsc#1007009)\n\n - CVE-2016-8883: assert in jpc_dec_tiledecode()\n (bsc#1006598)\n\n - CVE-2016-8882: segfault / NULL pointer access in\n jpc_pi_destroy (bsc#1006597)\n\n - CVE-2016-8881: Heap overflow in jpc_getuint16()\n (bsc#1006593)\n\n - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()\n (bsc#1006591)\n\n - CVE-2016-8693: Double free vulnerability in mem_close\n (bsc#1005242)\n\n - CVE-2016-8691, CVE-2016-8692: Divide by zero in\n jpc_dec_process_siz (bsc#1005090)\n\n - CVE-2016-8690: NULL pointer dereference in bmp_getdata\n triggered by crafted BMP image (bsc#1005084)\n\n - CVE-2016-2089: invalid read in the JasPer's\n jas_matrix_clip() function (bsc#963983)\n\n - CVE-2016-1867: Out-of-bounds Read in the JasPer's\n jpc_pi_nextcprl() function (bsc#961886)\n\n - CVE-2016-1577, CVE-2016-2116: double free vulnerability\n in the jas_iccattrval_destroy function (bsc#968373)\n\n - CVE-2015-5221: Use-after-free (and double-free) in\n Jasper JPEG-200 (bsc#942553)\n\n - CVE-2015-5203: Double free corruption in JasPer\n JPEG-2000 implementation (bsc#941919)\n\n - CVE-2008-3522: multiple integer overflows (bsc#392410)\n\n - bsc#1006839: NULL pointer dereference in\n jp2_colr_destroy (jp2_cod.c) (incomplete fix for\n CVE-2016-8887)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1005084\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1005090\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1005242\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1006591\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1006593\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1006597\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1006598\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1006599\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1006836\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1006839\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1007009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=392410\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=941919\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=942553\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=961886\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=963983\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=968373\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2008-3522/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-5203/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-5221/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-1577/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-1867/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2089/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2116/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8690/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8691/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8692/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8693/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8880/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8881/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8882/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8883/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8884/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8885/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8886/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8887/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20162776-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?730c3414\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t\npatch sdksp4-jasper-12846=1\n\nSUSE Linux Enterprise Server 11-SP4:zypper in -t patch\nslessp4-jasper-12846=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch\ndbgsp4-jasper-12846=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libjasper\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/10/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"libjasper-32bit-1.900.14-134.25.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"s390x\", reference:\"libjasper-32bit-1.900.14-134.25.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"libjasper-1.900.14-134.25.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jasper\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T14:24:58", "description": "This update for jasper to version 1.900.14 fixes several issues. These\nsecurity issues were fixed :\n\n - CVE-2016-8887: NULL pointer dereference in\n jp2_colr_destroy (jp2_cod.c) (bsc#1006836)\n\n - CVE-2016-8886: memory allocation failure in jas_malloc\n (jas_malloc.c) (bsc#1006599)\n\n - CVE-2016-8884,CVE-2016-8885: two NULL pointer\n dereferences in bmp_getdata (incomplete fix for\n CVE-2016-8690) (bsc#1007009)\n\n - CVE-2016-8883: assert in jpc_dec_tiledecode()\n (bsc#1006598)\n\n - CVE-2016-8882: segfault / NULL pointer access in\n jpc_pi_destroy (bsc#1006597)\n\n - CVE-2016-8881: Heap overflow in jpc_getuint16()\n (bsc#1006593)\n\n - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()\n (bsc#1006591)\n\n - CVE-2016-8693 Double free vulnerability in mem_close\n (bsc#1005242)\n\n - CVE-2016-8691, CVE-2016-8692: Divide by zero in\n jpc_dec_process_siz (bsc#1005090)\n\n - CVE-2016-8690: NULL pointer dereference in bmp_getdata\n triggered by crafted BMP image (bsc#1005084)\n\n - CVE-2016-2116: Memory leak in the\n jas_iccprof_createfrombuf function in JasPer allowed\n remote attackers to cause a denial of service (memory\n consumption) via a crafted ICC color profile in a JPEG\n 2000 image file (bsc#968373)\n\n - CVE-2016-2089: invalid read in the JasPer's\n jas_matrix_clip() function (bsc#963983)\n\n - CVE-2016-1867: Out-of-bounds Read in the JasPer's\n jpc_pi_nextcprl() function (bsc#961886)\n\n - CVE-2015-5221: Use-after-free (and double-free) in\n Jasper JPEG-200 (bsc#942553).\n\n - CVE-2015-5203: Double free corruption in JasPer\n JPEG-2000 implementation (bsc#941919)\n\n - CVE-2008-3522: Buffer overflow in the jas_stream_printf\n function in libjasper/base/jas_stream.c in JasPer might\n have allowed context-dependent attackers to have an\n unknown impact via vectors related to the mif_hdr_put\n function and use of vsprintf (bsc#392410)\n\n - jasper: NULL pointer dereference in jp2_colr_destroy\n (jp2_cod.c) (incomplete fix for CVE-2016-8887)\n (bsc#1006839) For additional change description please\n have a look at the changelog.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 31, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-11-11T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : jasper (SUSE-SU-2016:2775-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8880", "CVE-2014-8158", "CVE-2016-8887", "CVE-2016-8881", "CVE-2016-8884", "CVE-2008-3522", "CVE-2016-8885", "CVE-2016-8883", "CVE-2016-8882", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-8690", "CVE-2015-5203", "CVE-2016-1867", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-1577", "CVE-2015-5221", "CVE-2016-2116", "CVE-2016-8886"], "modified": "2016-11-11T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:jasper-debugsource", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:libjasper1-debuginfo", "p-cpe:/a:novell:suse_linux:libjasper1", "p-cpe:/a:novell:suse_linux:jasper-debuginfo"], "id": "SUSE_SU-2016-2775-1.NASL", "href": "https://www.tenable.com/plugins/nessus/94728", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:2775-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94728);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2008-3522\", \"CVE-2014-8158\", \"CVE-2015-5203\", \"CVE-2015-5221\", \"CVE-2016-1577\", \"CVE-2016-1867\", \"CVE-2016-2089\", \"CVE-2016-2116\", \"CVE-2016-8690\", \"CVE-2016-8691\", \"CVE-2016-8692\", \"CVE-2016-8693\", \"CVE-2016-8880\", \"CVE-2016-8881\", \"CVE-2016-8882\", \"CVE-2016-8883\", \"CVE-2016-8884\", \"CVE-2016-8885\", \"CVE-2016-8886\", \"CVE-2016-8887\");\n script_bugtraq_id(31470, 72293);\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : jasper (SUSE-SU-2016:2775-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for jasper to version 1.900.14 fixes several issues. These\nsecurity issues were fixed :\n\n - CVE-2016-8887: NULL pointer dereference in\n jp2_colr_destroy (jp2_cod.c) (bsc#1006836)\n\n - CVE-2016-8886: memory allocation failure in jas_malloc\n (jas_malloc.c) (bsc#1006599)\n\n - CVE-2016-8884,CVE-2016-8885: two NULL pointer\n dereferences in bmp_getdata (incomplete fix for\n CVE-2016-8690) (bsc#1007009)\n\n - CVE-2016-8883: assert in jpc_dec_tiledecode()\n (bsc#1006598)\n\n - CVE-2016-8882: segfault / NULL pointer access in\n jpc_pi_destroy (bsc#1006597)\n\n - CVE-2016-8881: Heap overflow in jpc_getuint16()\n (bsc#1006593)\n\n - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox()\n (bsc#1006591)\n\n - CVE-2016-8693 Double free vulnerability in mem_close\n (bsc#1005242)\n\n - CVE-2016-8691, CVE-2016-8692: Divide by zero in\n jpc_dec_process_siz (bsc#1005090)\n\n - CVE-2016-8690: NULL pointer dereference in bmp_getdata\n triggered by crafted BMP image (bsc#1005084)\n\n - CVE-2016-2116: Memory leak in the\n jas_iccprof_createfrombuf function in JasPer allowed\n remote attackers to cause a denial of service (memory\n consumption) via a crafted ICC color profile in a JPEG\n 2000 image file (bsc#968373)\n\n - CVE-2016-2089: invalid read in the JasPer's\n jas_matrix_clip() function (bsc#963983)\n\n - CVE-2016-1867: Out-of-bounds Read in the JasPer's\n jpc_pi_nextcprl() function (bsc#961886)\n\n - CVE-2015-5221: Use-after-free (and double-free) in\n Jasper JPEG-200 (bsc#942553).\n\n - CVE-2015-5203: Double free corruption in JasPer\n JPEG-2000 implementation (bsc#941919)\n\n - CVE-2008-3522: Buffer overflow in the jas_stream_printf\n function in libjasper/base/jas_stream.c in JasPer might\n have allowed context-dependent attackers to have an\n unknown impact via vectors related to the mif_hdr_put\n function and use of vsprintf (bsc#392410)\n\n - jasper: NULL pointer dereference in jp2_colr_destroy\n (jp2_cod.c) (incomplete fix for CVE-2016-8887)\n (bsc#1006839) For additional change description please\n have a look at the changelog.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1005084\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1005090\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1005242\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1006591\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1006593\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1006597\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1006598\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1006599\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1006836\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1006839\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1007009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=392410\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=941919\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=942553\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=961886\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=963983\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=968373\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2008-3522/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2014-8158/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-5203/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-5221/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-1577/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-1867/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2089/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2116/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8690/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8691/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8692/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8693/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8880/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8881/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8882/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8883/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8884/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8885/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8886/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8887/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20162775-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c3af566f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2016-1639=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t\npatch SUSE-SLE-SDK-12-SP1-2016-1639=1\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2016-1639=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2016-1639=1\n\nSUSE Linux Enterprise Server 12-SP1:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2016-1639=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2016-1639=1\n\nSUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP1-2016-1639=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:jasper-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:jasper-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libjasper1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libjasper1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/10/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1/2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP1/2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"jasper-debuginfo-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"jasper-debugsource-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libjasper1-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libjasper1-debuginfo-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libjasper1-32bit-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libjasper1-debuginfo-32bit-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"jasper-debuginfo-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"jasper-debugsource-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libjasper1-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libjasper1-debuginfo-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libjasper1-32bit-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libjasper1-debuginfo-32bit-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"jasper-debuginfo-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"jasper-debugsource-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libjasper1-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libjasper1-32bit-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libjasper1-debuginfo-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libjasper1-debuginfo-32bit-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"jasper-debuginfo-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"jasper-debugsource-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libjasper1-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libjasper1-32bit-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libjasper1-debuginfo-1.900.14-181.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libjasper1-debuginfo-32bit-1.900.14-181.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jasper\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-08-12T00:58:33", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2089", "CVE-2016-1577", "CVE-2016-2116"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3508-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMarch 06, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : jasper\nCVE ID : CVE-2016-1577 CVE-2016-2089 CVE-2016-2116\nDebian Bug : 812978 816625 816626\n\nSeveral vulnerabilities were discovered in JasPer, a library for\nmanipulating JPEG-2000 files. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2016-1577\n\n Jacob Baines discovered a double-free flaw in the\n jas_iccattrval_destroy function. A remote attacker could exploit\n this flaw to cause an application using the JasPer library to crash,\n or potentially, to execute arbitrary code with the privileges of the\n user running the application.\n\nCVE-2016-2089\n\n The Qihoo 360 Codesafe Team discovered a NULL pointer dereference\n flaw within the jas_matrix_clip function. A remote attacker could\n exploit this flaw to cause an application using the JasPer library\n to crash, resulting in a denial-of-service.\n\nCVE-2016-2116\n\n Tyler Hicks discovered a memory leak flaw in the\n jas_iccprof_createfrombuf function. A remote attacker could exploit\n this flaw to cause the JasPer library to consume memory, resulting\n in a denial-of-service.\n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 1.900.1-13+deb7u4.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1.900.1-debian1-2.4+deb8u1.\n\nWe recommend that you upgrade your jasper packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 11, "modified": "2016-03-06T15:34:08", "published": "2016-03-06T15:34:08", "id": "DEBIAN:DSA-3508-1:44F45", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00080.html", "title": "[SECURITY] [DSA 3508-1] jasper security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:46", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2089", "CVE-2016-1577", "CVE-2016-2116"], "description": "- CVE-2016-1577 (arbitrary code execution)\n\nDouble free vulnerability in the jas_iccattrval_destroy function in\nJasPer 1.900.1 and earlier allows remote attackers to cause a denial of\nservice (crash) or possibly execute arbitrary code via a crafted ICC\ncolor profile in a JPEG 2000 image file.\n\n- CVE-2016-2089 (denial of service)\n\nThe jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows\nremote attackers to cause a denial of service (invalid read and\napplication crash) via a crafted JPEG 2000 image.\n\n- CVE-2016-2116 (denial of service)\n\nMemory leak in the jas_iccprof_createfrombuf function in JasPer 1.900.1\nand earlier allows remote attackers to cause a denial of service\n(memory consumption) via a crafted ICC color profile in a JPEG 2000\nimage file.", "modified": "2016-05-04T00:00:00", "published": "2016-05-04T00:00:00", "id": "ASA-201605-2", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-May/000609.html", "type": "archlinux", "title": "jasper: multiple issues", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5203", "CVE-2015-8751", "CVE-2016-2089", "CVE-2016-8690", "CVE-2016-8691", "CVE-2016-8692", "CVE-2016-8693", "CVE-2016-8884", "CVE-2016-8885", "CVE-2016-8887", "CVE-2016-9262", "CVE-2016-9387", "CVE-2016-9388", "CVE-2016-9557", "CVE-2016-9560"], "description": "Arch Linux Security Advisory ASA-201612-9\n=========================================\n\nSeverity: Critical\nDate : 2016-12-07\nCVE-ID : CVE-2015-5203 CVE-2015-8751 CVE-2016-2089 CVE-2016-8690\nCVE-2016-8691 CVE-2016-8692 CVE-2016-8693 CVE-2016-8884\nCVE-2016-8885 CVE-2016-8887 CVE-2016-9262 CVE-2016-9387\nCVE-2016-9388 CVE-2016-9557 CVE-2016-9560\nPackage : jasper\nType : multiple issues\nRemote : Yes\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package jasper before version 1.900.31-1 is vulnerable to multiple\nissues including arbitrary code execution and denial of service.\n\nResolution\n==========\n\nUpgrade to 1.900.31-1.\n\n# pacman -Syu \"jasper>=1.900.31-1\"\n\nThe problems have been fixed upstream in version 1.900.31.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2015-5203 (arbitrary code execution)\n\nA double free flaw was found in the way JasPer's\njasper_image_stop_load() function parsed certain JPEG 2000 image files.\nA specially crafted file could cause an application using JasPer to\ncrash or possibly execute arbitrary code.\n\n- CVE-2015-8751 (denial of service)\n\nAn integer overflow flaw was found in the way the JasPer's library\njas_matrix_create() function parsed certain JPEG 2000 image files. A\nspecially crafted file could cause an application using JasPer to\ncrash.\n\n- CVE-2016-2089 (denial of service)\n\nThe jas_matrix_clip function in jas_seq.c allows remote attackers to\ncause a denial of service (invalid read and application crash) via a\ncrafted JPEG 2000 image.\n\n- CVE-2016-8690 (denial of service)\n\nA null pointer dereference vulnerability was found in bmp_getdata\ntriggered by invoking imginfo command on specially crafted BMP image.\n\n- CVE-2016-8691 (denial of service)\n\nA division by zero vulnerability was found in jpc_dec_process_siz\ntriggered by invoking imginfo command on specially crafted file.\n\n- CVE-2016-8692 (denial of service)\n\nA division by zero vulnerability was found in jpc_dec_process_siz\ntriggered by invoking imginfo command on specially crafted file.\n\n- CVE-2016-8693 (denial of service)\n\nA double free vulnerability was found in mem_close in jas_stream.c\ntriggered by invoking imginfo command on specially crafted image file.\n\n- CVE-2016-8884 (denial of service)\n\nA null pointer dereference vulnerability has been discovered in\nbmp_getdata in bmp_dec.c.\n\n- CVE-2016-8885 (denial of service)\n\nA null pointer dereference vulnerability has been discovered in\nbmp_getdata in bmp_dec.c.\n\n- CVE-2016-8887 (denial of service)\n\nA null pointer dereference vulnerability was found in jp2_colr_destroy\nin jp2_cod.c leading to application crash.\n\n- CVE-2016-9262 (arbitrary code execution)\n\nA number of overflows were found in jasper causing use after free\nvulnerability triggered by a crafted image.\n\n- CVE-2016-9387 (denial of service)\n\nAn integer overflow in jpc_dec_process_siz was found that can be\ntriggered by crafted image file when given as input to imginfo.\n\n- CVE-2016-9388 (denial of service)\n\nAn improper error handling was found in the RAS encoder/decoder\ntriggering assertion tests that result in denial of service.\n\n- CVE-2016-9557 (denial of service)\n\nA signed integer overflow vulnerability has been discovered in\njas_image.c triggered by a crafted image. An option max_samples has\nbeen added to the BMP and JPEG decoders to restrict the maximum size of\nimage that they can decode. This change was made as a (possibly\ntemporary) fix to address security concerns.\n\n- CVE-2016-9560 (arbitrary code execution)\n\nA stack buffer overflow vulnerability has been discovered in\njpc/jpc_dec.c duo to an out of bounds array write triggered by a\ncrafted image.\n\nImpact\n======\n\nA remote attacker is able to perform a denial of service attack or\nexecute arbitrary code on the affected host.\n\nReferences\n==========\n\nhttp://seclists.org/oss-sec/2015/q3/366\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1254242#c3\nhttp://seclists.org/oss-sec/2016/q1/44\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1294039\nhttp://www.openwall.com/lists/oss-security/2016/10/16/14\nhttps://blogs.gentoo.org/ago/2016/10/16/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c/\nhttps://github.com/mdadams/jasper/commit/8f62b4761711d036fd8964df256b938c809b7fca\nhttps://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020\nhttps://github.com/mdadams/jasper/commit/44a524e367597af58d6265ae2014468b334d0309\nhttps://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066\nhttp://seclists.org/oss-sec/2016/q4/213\nhttps://github.com/mdadams/jasper/commit/e24bdc716c3327b067c551bc6cfb97fd2370358d\nhttp://seclists.org/oss-sec/2016/q4/215\nhttps://github.com/mdadams/jasper/commit/634ce8e8a5accc0fa05dd2\nhttp://seclists.org/oss-sec/2016/q4/385\nhttps://github.com/mdadams/jasper/commit/d91198abd00fc435a397fe6bad906a4c1748e9cf\nhttp://seclists.org/oss-sec/2016/q4/441\nhttps://github.com/mdadams/jasper/commit/411a4068f8c464e883358bf403a3e25158863823\nhttps://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a\nhttp://www.openwall.com/lists/oss-security/2016/11/23/2\nhttps://github.com/mdadams/jasper/commit/1abc2e5a401a4bf1d5ca4df91358ce5df111f495\nhttp://www.openwall.com/lists/oss-security/2016/11/23/5\nhttps://access.redhat.com/security/cve/CVE-2015-5203\nhttps://access.redhat.com/security/cve/CVE-2015-8751\nhttps://access.redhat.com/security/cve/CVE-2016-2089\nhttps://access.redhat.com/security/cve/CVE-2016-8690\nhttps://access.redhat.com/security/cve/CVE-2016-8691\nhttps://access.redhat.com/security/cve/CVE-2016-8692\nhttps://access.redhat.com/security/cve/CVE-2016-8693\nhttps://access.redhat.com/security/cve/CVE-2016-8884\nhttps://access.redhat.com/security/cve/CVE-2016-8885\nhttps://access.redhat.com/security/cve/CVE-2016-8887\nhttps://access.redhat.com/security/cve/CVE-2016-9262\nhttps://access.redhat.com/security/cve/CVE-2016-9387\nhttps://access.redhat.com/security/cve/CVE-2016-9388\nhttps://access.redhat.com/security/cve/CVE-2016-9557\nhttps://access.redhat.com/security/cve/CVE-2016-9560", "modified": "2016-12-07T00:00:00", "published": "2016-12-07T00:00:00", "id": "ASA-201612-9", "href": "https://security.archlinux.org/ASA-201612-9", "type": "archlinux", "title": "[ASA-201612-9] jasper: multiple issues", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:49", "bulletinFamily": "unix", "cvelist": ["CVE-2014-8158", "CVE-2014-8137", "CVE-2014-8138", "CVE-2014-9029", "CVE-2016-2089", "CVE-2014-8157"], "description": "\noCERT reports:\n\nThe library is affected by a double-free vulnerability in function\n\t jas_iccattrval_destroy()\n\t as well as a heap-based buffer overflow in function jp2_decode().\n\t A specially crafted jp2 file can be used to trigger the vulnerabilities.\n\noCERT reports:\n\nThe library is affected by an off-by-one error in a buffer boundary check\n\t in jpc_dec_process_sot(), leading to a heap based buffer overflow, as well\n\t as multiple unrestricted stack memory use issues in jpc_qmfb.c, leading to\n\t stack overflow.\n\t A specially crafted jp2 file can be used to trigger the vulnerabilities.\n\noCERT reports:\n\nMultiple off-by-one flaws, leading to heap-based buffer overflows, were\n\t found in the way JasPer decoded JPEG 2000 files. A specially crafted file\n\t could cause an application using JasPer to crash or,\n\t possibly, execute arbitrary code.\n\nlimingxing reports:\n\nA vulnerability was found in the way the JasPer's jas_matrix_clip()\n\t function parses certain JPEG 2000 image files. A specially crafted file\n\t could cause an application using JasPer to crash.\n\n", "edition": 4, "modified": "2016-02-24T00:00:00", "published": "2014-12-10T00:00:00", "id": "006E3B7C-D7D7-11E5-B85F-0018FE623F2B", "href": "https://vuxml.freebsd.org/freebsd/006e3b7c-d7d7-11e5-b85f-0018fe623f2b.html", "title": "jasper -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:43:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8654", "CVE-2016-9591", "CVE-2016-9560", "CVE-2016-8882", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-10251", "CVE-2016-1867", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-10249"], "description": "It was discovered that JasPer incorrectly handled certain malformed \nJPEG-2000 image files. If a user or automated system using JasPer were \ntricked into opening a specially crafted image, an attacker could exploit \nthis to cause a denial of service or possibly execute code with the \nprivileges of the user invoking the program.", "edition": 5, "modified": "2017-05-18T00:00:00", "published": "2017-05-18T00:00:00", "id": "USN-3295-1", "href": "https://ubuntu.com/security/notices/USN-3295-1", "title": "JasPer vulnerabilities", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:50", "bulletinFamily": "software", "cvelist": ["CVE-2016-8654", "CVE-2016-9591", "CVE-2016-9560", "CVE-2016-8882", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-10251", "CVE-2016-1867", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-10249"], "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nIt was discovered that JasPer incorrectly handled certain malformed JPEG-2000 image files. If a user or automated system using JasPer were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * All versions of Cloud Foundry cflinuxfs2 prior to 1.123.0\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.123.0 or later.\n\n# References\n\n * [USN-3295-1](<http://www.ubuntu.com/usn/usn-3295-1/>)\n * [CVE-2016-10249](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10249>)\n * [CVE-2016-10251](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10251>)\n * [CVE-2016-1867](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-1867>)\n * [CVE-2016-2089](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2089>)\n * [CVE-2016-8654](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8654>)\n * [CVE-2016-8691](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8691>)\n * [CVE-2016-8692](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8692>)\n * [CVE-2016-8693](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8693>)\n * [CVE-2016-8882](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8882>)\n * [CVE-2016-9560](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9560>)\n * [CVE-2016-9591](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9591>)\n * [bosh.io](<https://bosh.io>)\n", "edition": 5, "modified": "2017-06-02T00:00:00", "published": "2017-06-02T00:00:00", "id": "CFOUNDRY:8A468E730F72CC685A7AAAD6065903D3", "href": "https://www.cloudfoundry.org/blog/usn-3295-1/", "title": "USN-3295-1: JasPer vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2089", "CVE-2016-8690", "CVE-2016-8691", "CVE-2016-8692", "CVE-2016-8693", "CVE-2016-8880", "CVE-2016-8881", "CVE-2016-8882", "CVE-2016-8883", "CVE-2016-8884", "CVE-2016-8885", "CVE-2016-8886", "CVE-2016-8887"], "description": "This package contains an implementation of the image compression standard JPEG-2000, Part 1. It consists of tools for conversion to and from the JP2 and JPC formats. ", "modified": "2016-11-10T03:31:54", "published": "2016-11-10T03:31:54", "id": "FEDORA:064DE6075F19", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: jasper-1.900.13-1.fc24", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2089", "CVE-2016-8690", "CVE-2016-8691", "CVE-2016-8692", "CVE-2016-8693", "CVE-2016-8880", "CVE-2016-8881", "CVE-2016-8882", "CVE-2016-8883", "CVE-2016-8884", "CVE-2016-8885", "CVE-2016-8886", "CVE-2016-8887"], "description": "This package contains an implementation of the image compression standard JPEG-2000, Part 1. It consists of tools for conversion to and from the JP2 and JPC formats. ", "modified": "2016-11-10T15:53:31", "published": "2016-11-10T15:53:31", "id": "FEDORA:0B4D96061A75", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: jasper-1.900.13-1.fc23", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2020-12-08T03:39:03", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8654", "CVE-2016-9262", "CVE-2016-9591", "CVE-2016-9560", "CVE-2016-8884", "CVE-2016-8885", "CVE-2016-9394", "CVE-2016-9391", "CVE-2016-8883", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-8690", "CVE-2016-9387", "CVE-2016-9390", "CVE-2015-5203", "CVE-2016-10248", "CVE-2016-10251", "CVE-2016-1867", "CVE-2016-9583", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-1577", "CVE-2016-9389", "CVE-2016-9393", "CVE-2015-5221", "CVE-2016-9600", "CVE-2016-9392", "CVE-2016-2116", "CVE-2016-10249", "CVE-2016-9388"], "description": "**CentOS Errata and Security Advisory** CESA-2017:1208\n\n\nJasPer is an implementation of Part 1 of the JPEG 2000 image compression standard.\n\nSecurity Fix(es):\n\nMultiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)\n\nMultiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)\n\nRed Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600; Gustavo Grieco for reporting CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-May/034446.html\nhttp://lists.centos.org/pipermail/centos-announce/2017-May/034449.html\n\n**Affected packages:**\njasper\njasper-devel\njasper-libs\njasper-utils\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2017-1208.html", "edition": 4, "modified": "2017-05-15T16:46:03", "published": "2017-05-15T15:59:23", "href": "http://lists.centos.org/pipermail/centos-announce/2017-May/034446.html", "id": "CESA-2017:1208", "title": "jasper security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:46:46", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5203", "CVE-2015-5221", "CVE-2016-10248", "CVE-2016-10249", "CVE-2016-10251", "CVE-2016-1577", "CVE-2016-1867", "CVE-2016-2089", "CVE-2016-2116", "CVE-2016-8654", "CVE-2016-8690", "CVE-2016-8691", "CVE-2016-8692", "CVE-2016-8693", "CVE-2016-8883", "CVE-2016-8884", "CVE-2016-8885", "CVE-2016-9262", "CVE-2016-9387", "CVE-2016-9388", "CVE-2016-9389", "CVE-2016-9390", "CVE-2016-9391", "CVE-2016-9392", "CVE-2016-9393", "CVE-2016-9394", "CVE-2016-9560", "CVE-2016-9583", "CVE-2016-9591", "CVE-2016-9600"], "description": "JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard.\n\nSecurity Fix(es):\n\nMultiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2016-8654, CVE-2016-9560, CVE-2016-10249, CVE-2015-5203, CVE-2015-5221, CVE-2016-1577, CVE-2016-8690, CVE-2016-8693, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9591)\n\nMultiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8691, CVE-2016-8692, CVE-2016-8883, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9583, CVE-2016-9600, CVE-2016-10248, CVE-2016-10251)\n\nRed Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-8654, CVE-2016-9583, CVE-2016-9591, and CVE-2016-9600; Gustavo Grieco for reporting CVE-2015-5203; and Josselin Feist for reporting CVE-2015-5221.", "modified": "2018-06-07T18:22:00", "published": "2017-05-09T18:59:57", "id": "RHSA-2017:1208", "href": "https://access.redhat.com/errata/RHSA-2017:1208", "type": "redhat", "title": "(RHSA-2017:1208) Important: jasper security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:35:21", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8654", "CVE-2016-9262", "CVE-2016-9591", "CVE-2016-9560", "CVE-2016-8884", "CVE-2016-8885", "CVE-2016-9394", "CVE-2016-9391", "CVE-2016-8883", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-8690", "CVE-2016-9387", "CVE-2016-9390", "CVE-2015-5203", "CVE-2016-10248", "CVE-2016-10251", "CVE-2016-1867", "CVE-2016-9583", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-1577", "CVE-2016-9389", "CVE-2016-1024", "CVE-2016-9393", "CVE-2015-5221", "CVE-2016-9600", "CVE-2016-9392", "CVE-2016-2116", "CVE-2016-10249", "CVE-2016-9388"], "description": "**Issue Overview:**\n\nMultiple flaws were found in the way JasPer decoded JPEG 2000 image files. A \nspecially crafted file could cause an application using JasPer to crash or, \npossibly, execute arbitrary code. ( [CVE-2016-8654 __](<https://access.redhat.com/security/cve/CVE-2016-8654>), [CVE-2016-9560 __](<https://access.redhat.com/security/cve/CVE-2016-9560>), [CVE-2016-10249 __](<https://access.redhat.com/security/cve/CVE-2016-10249>), \n[CVE-2015-5203 __](<https://access.redhat.com/security/cve/CVE-2015-5203>), [CVE-2015-5221 __](<https://access.redhat.com/security/cve/CVE-2015-5221>), [CVE-2016-1577 __](<https://access.redhat.com/security/cve/CVE-2016-1577>), [CVE-2016-8690 __](<https://access.redhat.com/security/cve/CVE-2016-8690>), [CVE-2016-8693 __](<https://access.redhat.com/security/cve/CVE-2016-8693>), \n[CVE-2016-8884 __](<https://access.redhat.com/security/cve/CVE-2016-8884>), [CVE-2016-8885 __](<https://access.redhat.com/security/cve/CVE-2016-8885>), [CVE-2016-9262 __](<https://access.redhat.com/security/cve/CVE-2016-9262>), [CVE-2016-9591 __](<https://access.redhat.com/security/cve/CVE-2016-9591>) )\n\nMultiple flaws were found in the way JasPer decoded JPEG 2000 image files. A \nspecially crafted file could cause an application using JasPer to crash. \n([CVE-2016-1867 __](<https://access.redhat.com/security/cve/CVE-2016-1867>), [CVE-2016-2089 __](<https://access.redhat.com/security/cve/CVE-2016-2089>), [CVE-2016-2116 __](<https://access.redhat.com/security/cve/CVE-2016-2116>), [CVE-2016-8691 __](<https://access.redhat.com/security/cve/CVE-2016-8691>), [CVE-2016-8692 __](<https://access.redhat.com/security/cve/CVE-2016-8692>), \n[CVE-2016-8883 __](<https://access.redhat.com/security/cve/CVE-2016-8883>), [CVE-2016-9387 __](<https://access.redhat.com/security/cve/CVE-2016-9387>), [CVE-2016-9388 __](<https://access.redhat.com/security/cve/CVE-2016-9388>), [CVE-2016-9389 __](<https://access.redhat.com/security/cve/CVE-2016-9389>), [CVE-2016-9390 __](<https://access.redhat.com/security/cve/CVE-2016-9390>), \n[CVE-2016-9391 __](<https://access.redhat.com/security/cve/CVE-2016-9391>), [CVE-2016-9392 __](<https://access.redhat.com/security/cve/CVE-2016-9392>), [CVE-2016-9393 __](<https://access.redhat.com/security/cve/CVE-2016-9393>), [CVE-2016-9394 __](<https://access.redhat.com/security/cve/CVE-2016-9394>), [CVE-2016-9583 __](<https://access.redhat.com/security/cve/CVE-2016-9583>), \n[CVE-2016-9600 __](<https://access.redhat.com/security/cve/CVE-2016-9600>), [CVE-2016-10248 __](<https://access.redhat.com/security/cve/CVE-2016-10248>), [CVE-2016-10251 __](<https://access.redhat.com/security/cve/CVE-2016-10251>))\n\n \n**Affected Packages:** \n\n\njasper\n\n \n**Issue Correction:** \nRun _yum update jasper_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n jasper-devel-1.900.1-21.9.amzn1.i686 \n jasper-utils-1.900.1-21.9.amzn1.i686 \n jasper-1.900.1-21.9.amzn1.i686 \n jasper-libs-1.900.1-21.9.amzn1.i686 \n jasper-debuginfo-1.900.1-21.9.amzn1.i686 \n \n src: \n jasper-1.900.1-21.9.amzn1.src \n \n x86_64: \n jasper-debuginfo-1.900.1-21.9.amzn1.x86_64 \n jasper-libs-1.900.1-21.9.amzn1.x86_64 \n jasper-1.900.1-21.9.amzn1.x86_64 \n jasper-devel-1.900.1-21.9.amzn1.x86_64 \n jasper-utils-1.900.1-21.9.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2017-06-06T16:49:00", "published": "2017-06-06T16:49:00", "id": "ALAS-2017-836", "href": "https://alas.aws.amazon.com/ALAS-2017-836.html", "title": "Important: jasper", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:01", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8654", "CVE-2014-8158", "CVE-2016-9262", "CVE-2014-8137", "CVE-2016-9591", "CVE-2016-9560", "CVE-2016-8884", "CVE-2016-8885", "CVE-2016-9394", "CVE-2016-9391", "CVE-2016-8883", "CVE-2016-8693", "CVE-2016-8691", "CVE-2016-8690", "CVE-2016-9387", "CVE-2016-9390", "CVE-2014-8138", "CVE-2015-5203", "CVE-2016-10248", "CVE-2016-10251", "CVE-2016-1867", "CVE-2014-9029", "CVE-2016-9583", "CVE-2016-2089", "CVE-2016-8692", "CVE-2016-1577", "CVE-2016-9389", "CVE-2016-9393", "CVE-2014-8157", "CVE-2015-5221", "CVE-2016-9600", "CVE-2016-9392", "CVE-2016-2116", "CVE-2016-10249", "CVE-2016-9388"], "description": "[1.900.1-21]\n- Bump release\n[1.900.1-20]\n- Multiple security fixes (fixed by thoger):\n CVE-2015-5203 CVE-2015-5221 CVE-2016-1577 CVE-2016-1867 CVE-2016-2089\n CVE-2016-2116 CVE-2016-8654 CVE-2016-8690 CVE-2016-8691 CVE-2016-8692\n CVE-2016-8693 CVE-2016-8883 CVE-2016-8884 CVE-2016-8885 CVE-2016-9262\n CVE-2016-9387 CVE-2016-9388 CVE-2016-9389 CVE-2016-9390 CVE-2016-9391\n CVE-2016-9392 CVE-2016-9393 CVE-2016-9394 CVE-2016-9560 CVE-2016-9583\n CVE-2016-9591 CVE-2016-9600 CVE-2016-10248 CVE-2016-10249 CVE-2016-10251\n- Fix implicit declaration warning caused by security fixes above\n[1.900.1-19]\n- CVE-2014-8157 - dec->numtiles off-by-one check in jpc_dec_process_sot() (#1183672)\n- CVE-2014-8158 - unrestricted stack memory use in jpc_qmfb.c (#1183680)\n[1.900.1-18]\n- CVE-2014-8137 - double-free in in jas_iccattrval_destroy (#1173567)\n- CVE-2014-8138 - heap overflow in jp2_decode (#1173567)\n[1.900.1-17]\n- CVE-2014-9029 - incorrect component number check in COC, RGN and QCC\n marker segment decoders (#1171209)", "edition": 4, "modified": "2017-05-09T00:00:00", "published": "2017-05-09T00:00:00", "id": "ELSA-2017-1208", "href": "http://linux.oracle.com/errata/ELSA-2017-1208.html", "title": "jasper security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
