Bug 1218802 (CVE-2023-51257)

Summary:	VUL-0: CVE-2023-51257: jasper: invalid memory write on jas_icctxt_input in jas_icc.c
Product:	[Novell Products] SUSE Security Incidents	Reporter:	SMASH SMASH <smash_bz>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	IN_PROGRESS ---	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	andrea.mattiazzo
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/391193/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-51257:4.8:(AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2024-01-15 09:50:28 UTC

A flaw was found due to invalid memory write in jasper due to missing range check in the JPC encoder.

Refer:
https://bugs.gentoo.org/922075

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51257
https://bugzilla.redhat.com/show_bug.cgi?id=2258400
https://github.com/jasper-software/jasper/issues/367

Patch:
https://github.com/jasper-software/jasper/commit/aeef5293c978158255ad4f127089644745602f2a

Comment 1 Andrea Mattiazzo 2024-01-15 09:51:48 UTC

Tracking as affected:
- SUSE:ALP:Source:Standard:1.0/jasper
- SUSE:SLE-12:Update/jasper
- SUSE:SLE-15:Update/jasper

Comment 2 Michael Vetter 2024-01-15 10:33:10 UTC

SR#1138803 to Factory to add bug number
SR#317884 to SUSE:ALP:Source:Standard:1.0
SR#317887 to SUSE_SLE-12_Update
SR#317889 to SUSE_SLE-15_Update

Comment 4 OBSbugzilla Bot 2024-01-15 11:35:04 UTC

This is an autogenerated message for OBS integration:
This bug (1218802) was mentioned in
https://build.opensuse.org/request/show/1138803 Factory / jasper

Comment 5 Maintenance Automation 2024-01-26 12:30:04 UTC

SUSE-SU-2024:0241-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218802
CVE References: CVE-2023-51257
Sources used:
openSUSE Leap 15.5 (src): jasper-2.0.14-150000.3.31.1
Basesystem Module 15-SP5 (src): jasper-2.0.14-150000.3.31.1
Desktop Applications Module 15-SP5 (src): jasper-2.0.14-150000.3.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Maintenance Automation 2024-01-26 12:30:06 UTC

SUSE-SU-2024:0240-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218802
CVE References: CVE-2023-51257
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): jasper-1.900.14-195.37.1
SUSE Linux Enterprise Server 12 SP5 (src): jasper-1.900.14-195.37.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): jasper-1.900.14-195.37.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): jasper-1.900.14-195.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.