The remote NewStart CGSL host, running version MAIN 4.05, has jasper packages installed that are affected by multiple vulnerabilities:
JasPer before version 2.0.10 is vulnerable to a null pointer dereference was found in the decoded creation of JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
(CVE-2016-9600)
A use-after-free flaw was found in the way JasPer, before version 2.0.12, decode certain JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. (CVE-2016-9591)
An out-of-bounds heap read vulnerability was found in the jpc_pi_nextpcrl() function of jasper before 2.0.6 when processing crafted input. (CVE-2016-9583)
A heap-buffer overflow vulnerability was found in QMFB code in JPC codec caused by buffer being allocated with too small size. jasper versions before 2.0.0 are affected. (CVE-2016-8654)
Stack-based buffer overflow in the jpc_tsfb_getbands2 function in jpc_tsfb.c in JasPer before 1.900.30 allows remote attackers to have unspecified impact via a crafted image. (CVE-2016-9560)
Multiple integer overflows in the (1) jas_realloc function in base/jas_malloc.c and (2) mem_resize function in base/jas_stream.c in JasPer before 1.900.22 allow remote attackers to cause a denial of service via a crafted image, which triggers use after free vulnerabilities. (CVE-2016-9262)
Integer overflow in the jpc_pi_nextcprl function in jpc_t2cod.c in JasPer before 1.900.20 allows remote attackers to have unspecified impact via a crafted file, which triggers use of an uninitialized value.
(CVE-2016-10251)
The jpc_pi_nextrpcl function in jpc_t2cod.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a crafted file. (CVE-2016-9393)
The calcstepsizes function in jpc_dec.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a crafted file.
(CVE-2016-9392)
The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a crafted file. (CVE-2016-9394)
The jpc_bitstream_getbits function in jpc_bs.c in JasPer before 2.0.10 allows remote attackers to cause a denial of service (assertion failure) via a very large integer.
(CVE-2016-9391)
The ras_getcmap function in ras_dec.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a crafted image file.
(CVE-2016-9388)
The jpc_irct and jpc_iict functions in jpc_mct.c in JasPer before 1.900.14 allow remote attackers to cause a denial of service (assertion failure). (CVE-2016-9389)
The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a crafted image file. (CVE-2016-9390)
Integer overflow in the jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.13 allows remote attackers to have unspecified impact via a crafted file, which triggers an assertion failure.
(CVE-2016-9387)
Integer overflow in the jpc_dec_tiledecode function in jpc_dec.c in JasPer before 1.900.12 allows remote attackers to have unspecified impact via a crafted image file, which triggers a heap-based buffer overflow.
(CVE-2016-10249)
The jpc_tsfb_synthesize function in jpc_tsfb.c in JasPer before 1.900.9 allows remote attackers to cause a denial of service (NULL pointer dereference) via vectors involving an empty sequence. (CVE-2016-10248)
The jpc_dec_tiledecode function in jpc_dec.c in JasPer before 1.900.8 allows remote attackers to cause a denial of service (assertion failure) via a crafted file.
(CVE-2016-8883)
The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide- by-zero error and application crash) via a crafted YRsiz value in a BMP image to the imginfo command.
(CVE-2016-8692)
The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer 1.900.5 allows remote attackers to cause a denial of service (NULL pointer dereference) by calling the imginfo command with a crafted BMP image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8690. (CVE-2016-8884)
Double free vulnerability in the mem_close function in jas_stream.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image to the imginfo command. (CVE-2016-8693)
The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer before 1.900.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted BMP image in an imginfo command. (CVE-2016-8690)
The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer before 1.900.9 allows remote attackers to cause a denial of service (NULL pointer dereference) by calling the imginfo command with a crafted BMP image.
(CVE-2016-8885)
The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide- by-zero error and application crash) via a crafted XRsiz value in a BMP image to the imginfo command.
(CVE-2016-8691)
Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file, a different vulnerability than CVE-2014-8137. (CVE-2016-1577)
Memory leak in the jas_iccprof_createfrombuf function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted ICC color profile in a JPEG 2000 image file.
(CVE-2016-2116)
The jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted JPEG 2000 image. (CVE-2016-2089)
Double free vulnerability in the jasper_image_stop_load function in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file. (CVE-2015-5203)
The jpc_pi_nextcprl function in JasPer 1.900.1 allows remote attackers to cause a denial of service (out-of- bounds read and application crash) via a crafted JPEG 2000 image. (CVE-2016-1867)
Use-after-free vulnerability in the mif_process_cmpt function in libjasper/mif/mif_cod.c in the JasPer JPEG-2000 library before 1.900.2 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file. (CVE-2015-5221)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2019-0109. The text
# itself is copyright (C) ZTE, Inc.
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(127345);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");
script_cve_id(
"CVE-2015-5203",
"CVE-2015-5221",
"CVE-2016-1577",
"CVE-2016-1867",
"CVE-2016-2089",
"CVE-2016-2116",
"CVE-2016-8654",
"CVE-2016-8690",
"CVE-2016-8691",
"CVE-2016-8692",
"CVE-2016-8693",
"CVE-2016-8883",
"CVE-2016-8884",
"CVE-2016-8885",
"CVE-2016-9262",
"CVE-2016-9387",
"CVE-2016-9388",
"CVE-2016-9389",
"CVE-2016-9390",
"CVE-2016-9391",
"CVE-2016-9392",
"CVE-2016-9393",
"CVE-2016-9394",
"CVE-2016-9560",
"CVE-2016-9583",
"CVE-2016-9591",
"CVE-2016-9600",
"CVE-2016-10248",
"CVE-2016-10249",
"CVE-2016-10251"
);
script_name(english:"NewStart CGSL MAIN 4.05 : jasper Multiple Vulnerabilities (NS-SA-2019-0109)");
script_set_attribute(attribute:"synopsis", value:
"The remote machine is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version MAIN 4.05, has jasper packages installed that are affected by multiple
vulnerabilities:
- JasPer before version 2.0.10 is vulnerable to a null
pointer dereference was found in the decoded creation of
JPEG 2000 image files. A specially crafted file could
cause an application using JasPer to crash.
(CVE-2016-9600)
- A use-after-free flaw was found in the way JasPer,
before version 2.0.12, decode certain JPEG 2000 image
files. A specially crafted file could cause an
application using JasPer to crash. (CVE-2016-9591)
- An out-of-bounds heap read vulnerability was found in
the jpc_pi_nextpcrl() function of jasper before 2.0.6
when processing crafted input. (CVE-2016-9583)
- A heap-buffer overflow vulnerability was found in QMFB
code in JPC codec caused by buffer being allocated with
too small size. jasper versions before 2.0.0 are
affected. (CVE-2016-8654)
- Stack-based buffer overflow in the jpc_tsfb_getbands2
function in jpc_tsfb.c in JasPer before 1.900.30 allows
remote attackers to have unspecified impact via a
crafted image. (CVE-2016-9560)
- Multiple integer overflows in the (1) jas_realloc
function in base/jas_malloc.c and (2) mem_resize
function in base/jas_stream.c in JasPer before 1.900.22
allow remote attackers to cause a denial of service via
a crafted image, which triggers use after free
vulnerabilities. (CVE-2016-9262)
- Integer overflow in the jpc_pi_nextcprl function in
jpc_t2cod.c in JasPer before 1.900.20 allows remote
attackers to have unspecified impact via a crafted file,
which triggers use of an uninitialized value.
(CVE-2016-10251)
- The jpc_pi_nextrpcl function in jpc_t2cod.c in JasPer
before 1.900.17 allows remote attackers to cause a
denial of service (assertion failure) via a crafted
file. (CVE-2016-9393)
- The calcstepsizes function in jpc_dec.c in JasPer before
1.900.17 allows remote attackers to cause a denial of
service (assertion failure) via a crafted file.
(CVE-2016-9392)
- The jas_seq2d_create function in jas_seq.c in JasPer
before 1.900.17 allows remote attackers to cause a
denial of service (assertion failure) via a crafted
file. (CVE-2016-9394)
- The jpc_bitstream_getbits function in jpc_bs.c in JasPer
before 2.0.10 allows remote attackers to cause a denial
of service (assertion failure) via a very large integer.
(CVE-2016-9391)
- The ras_getcmap function in ras_dec.c in JasPer before
1.900.14 allows remote attackers to cause a denial of
service (assertion failure) via a crafted image file.
(CVE-2016-9388)
- The jpc_irct and jpc_iict functions in jpc_mct.c in
JasPer before 1.900.14 allow remote attackers to cause a
denial of service (assertion failure). (CVE-2016-9389)
- The jas_seq2d_create function in jas_seq.c in JasPer
before 1.900.14 allows remote attackers to cause a
denial of service (assertion failure) via a crafted
image file. (CVE-2016-9390)
- Integer overflow in the jpc_dec_process_siz function in
libjasper/jpc/jpc_dec.c in JasPer before 1.900.13 allows
remote attackers to have unspecified impact via a
crafted file, which triggers an assertion failure.
(CVE-2016-9387)
- Integer overflow in the jpc_dec_tiledecode function in
jpc_dec.c in JasPer before 1.900.12 allows remote
attackers to have unspecified impact via a crafted image
file, which triggers a heap-based buffer overflow.
(CVE-2016-10249)
- The jpc_tsfb_synthesize function in jpc_tsfb.c in JasPer
before 1.900.9 allows remote attackers to cause a denial
of service (NULL pointer dereference) via vectors
involving an empty sequence. (CVE-2016-10248)
- The jpc_dec_tiledecode function in jpc_dec.c in JasPer
before 1.900.8 allows remote attackers to cause a denial
of service (assertion failure) via a crafted file.
(CVE-2016-8883)
- The jpc_dec_process_siz function in
libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows
remote attackers to cause a denial of service (divide-
by-zero error and application crash) via a crafted YRsiz
value in a BMP image to the imginfo command.
(CVE-2016-8692)
- The bmp_getdata function in libjasper/bmp/bmp_dec.c in
JasPer 1.900.5 allows remote attackers to cause a denial
of service (NULL pointer dereference) by calling the
imginfo command with a crafted BMP image. NOTE: this
vulnerability exists because of an incomplete fix for
CVE-2016-8690. (CVE-2016-8884)
- Double free vulnerability in the mem_close function in
jas_stream.c in JasPer before 1.900.10 allows remote
attackers to cause a denial of service (crash) or
possibly execute arbitrary code via a crafted BMP image
to the imginfo command. (CVE-2016-8693)
- The bmp_getdata function in libjasper/bmp/bmp_dec.c in
JasPer before 1.900.5 allows remote attackers to cause a
denial of service (NULL pointer dereference) via a
crafted BMP image in an imginfo command. (CVE-2016-8690)
- The bmp_getdata function in libjasper/bmp/bmp_dec.c in
JasPer before 1.900.9 allows remote attackers to cause a
denial of service (NULL pointer dereference) by calling
the imginfo command with a crafted BMP image.
(CVE-2016-8885)
- The jpc_dec_process_siz function in
libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows
remote attackers to cause a denial of service (divide-
by-zero error and application crash) via a crafted XRsiz
value in a BMP image to the imginfo command.
(CVE-2016-8691)
- Double free vulnerability in the jas_iccattrval_destroy
function in JasPer 1.900.1 and earlier allows remote
attackers to cause a denial of service (crash) or
possibly execute arbitrary code via a crafted ICC color
profile in a JPEG 2000 image file, a different
vulnerability than CVE-2014-8137. (CVE-2016-1577)
- Memory leak in the jas_iccprof_createfrombuf function in
JasPer 1.900.1 and earlier allows remote attackers to
cause a denial of service (memory consumption) via a
crafted ICC color profile in a JPEG 2000 image file.
(CVE-2016-2116)
- The jas_matrix_clip function in jas_seq.c in JasPer
1.900.1 allows remote attackers to cause a denial of
service (invalid read and application crash) via a
crafted JPEG 2000 image. (CVE-2016-2089)
- Double free vulnerability in the jasper_image_stop_load
function in JasPer 1.900.17 allows remote attackers to
cause a denial of service (crash) via a crafted JPEG
2000 image file. (CVE-2015-5203)
- The jpc_pi_nextcprl function in JasPer 1.900.1 allows
remote attackers to cause a denial of service (out-of-
bounds read and application crash) via a crafted JPEG
2000 image. (CVE-2016-1867)
- Use-after-free vulnerability in the mif_process_cmpt
function in libjasper/mif/mif_cod.c in the JasPer
JPEG-2000 library before 1.900.2 allows remote attackers
to cause a denial of service (crash) via a crafted JPEG
2000 image file. (CVE-2015-5221)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0109");
script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL jasper packages. Note that updated packages may not be available yet. Please contact ZTE for
more information.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9583");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/20");
script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"NewStart CGSL Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/ZTE-CGSL/release");
if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
if (release !~ "CGSL MAIN 4.05")
audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05');
if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
flag = 0;
pkgs = {
"CGSL MAIN 4.05": [
"jasper-1.900.1-21.el6_9",
"jasper-libs-1.900.1-21.el6_9"
]
};
pkg_list = pkgs[release];
foreach (pkg in pkg_list)
if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jasper");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5203
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5221
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10248
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10249
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10251
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1577
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1867
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2089
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2116
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8654
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8690
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8691
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8692
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8693
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8883
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8884
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8885
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9262
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9387
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9388
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9389
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9390
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9391
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9392
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9393
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9394
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9560
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9583
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9591
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9600
security.gd-linux.com/notice/NS-SA-2019-0109