-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:189 http://www.mandriva.com/security/ _______________________________________________________________________ Package : jasper Date : December 16, 2011 Affected: 2010.1, 2011., Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in jasper: Heap-based buffer overflow in the jpc_cox_getcompparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted numrlvls value in a JPEG2000 file (CVE-2011-4516). The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1 uses an incorrect data type during a certain size calculation, which allows remote attackers to trigger a heap-based buffer overflow and execute arbitrary code, or cause a denial of service (heap memory corruption), via a malformed JPEG2000 file (CVE-2011-4517). The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4517 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: e494dad90e889530c86071f3ffdc2144 2010.1/i586/jasper-1.900.1-12.1mdv2010.2.i586.rpm b2b08a6ecacf2d26d032b1e65ebf390d 2010.1/i586/libjasper1-1.900.1-12.1mdv2010.2.i586.rpm 71a43faf4f98f4c8220c377691fc6d7c 2010.1/i586/libjasper-devel-1.900.1-12.1mdv2010.2.i586.rpm 002cc21e456874c4927eb0d87c946b98 2010.1/i586/libjasper-static-devel-1.900.1-12.1mdv2010.2.i586.rpm 1cda18f770486d728dc15efdcecc177d 2010.1/SRPMS/jasper-1.900.1-12.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 420fb525b80f6921f36a5bdf89e7163e 2010.1/x86_64/jasper-1.900.1-12.1mdv2010.2.x86_64.rpm 9ecae54e76c3e3320ba1837d623c0fbf 2010.1/x86_64/lib64jasper1-1.900.1-12.1mdv2010.2.x86_64.rpm 8f8690f72954f4d33e14b5a61dab39af 2010.1/x86_64/lib64jasper-devel-1.900.1-12.1mdv2010.2.x86_64.rpm f08f66c77a6bd13aa9e1d642bd38a756 2010.1/x86_64/lib64jasper-static-devel-1.900.1-12.1mdv2010.2.x86_64.rpm 1cda18f770486d728dc15efdcecc177d 2010.1/SRPMS/jasper-1.900.1-12.1mdv2010.2.src.rpm Mandriva Linux 2011: 2ca7cc26dc24d01d159200db795c4f62 2011/i586/jasper-1.900.1-12.1-mdv2011.0.i586.rpm 25681b4aeccde3e9b85b4f565870853f 2011/i586/libjasper1-1.900.1-12.1-mdv2011.0.i586.rpm fc559da2f2ed5264c7ca37fe313f5979 2011/i586/libjasper-devel-1.900.1-12.1-mdv2011.0.i586.rpm 81cf761c980e151a2a804f1fad5be109 2011/i586/libjasper-static-devel-1.900.1-12.1-mdv2011.0.i586.rpm e2bbe335c556a330f7993c6119c8d6cc 2011/SRPMS/jasper-1.900.1-12.1.src.rpm Mandriva Linux 2011/X86_64: 136e4a0960f038fb1d043afc146260ff 2011/x86_64/jasper-1.900.1-12.1-mdv2011.0.x86_64.rpm bcf658437206939760149448524eceb9 2011/x86_64/lib64jasper1-1.900.1-12.1-mdv2011.0.x86_64.rpm 72d5f142060403ca344c2f0311258381 2011/x86_64/lib64jasper-devel-1.900.1-12.1-mdv2011.0.x86_64.rpm d8b8311ec34971e7908c1b2bccb671c9 2011/x86_64/lib64jasper-static-devel-1.900.1-12.1-mdv2011.0.x86_64.rpm e2bbe335c556a330f7993c6119c8d6cc 2011/SRPMS/jasper-1.900.1-12.1.src.rpm Mandriva Enterprise Server 5: 8bf49dec9c4e4890e3e989ff8fc3bb19 mes5/i586/jasper-1.900.1-4.3mdvmes5.2.i586.rpm bccebb05fb7594cae930ba03ee527039 mes5/i586/libjasper1-1.900.1-4.3mdvmes5.2.i586.rpm 35b631ab6c5f153c1e2d273142d385f3 mes5/i586/libjasper1-devel-1.900.1-4.3mdvmes5.2.i586.rpm c01ebaa0319a5bd480a69f3f7d84f35a mes5/i586/libjasper1-static-devel-1.900.1-4.3mdvmes5.2.i586.rpm 8da90dd5afaeb2aaf09daad2f97d83ab mes5/SRPMS/jasper-1.900.1-4.3mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 8c1aed6122fa87a6341ef2d8282f4390 mes5/x86_64/jasper-1.900.1-4.3mdvmes5.2.x86_64.rpm 83d3051efaa4e26793bea89775e2d461 mes5/x86_64/lib64jasper1-1.900.1-4.3mdvmes5.2.x86_64.rpm 9f7ed89204edddde7b443e7fac61fe2b mes5/x86_64/lib64jasper1-devel-1.900.1-4.3mdvmes5.2.x86_64.rpm 41d45d8a0ca083a26eed5b213cfd7a79 mes5/x86_64/lib64jasper1-static-devel-1.900.1-4.3mdvmes5.2.x86_64.rpm 8da90dd5afaeb2aaf09daad2f97d83ab mes5/SRPMS/jasper-1.900.1-4.3mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFO6x1nmqjQ0CJFipgRAkhTAJ0bHHUFiodH4z69bX/yKE68Vq3+JQCdEPQm cE1/h3Xv/zQWnadBoHy4OcY= =DYuC -----END PGP SIGNATURE-----