Bugzilla – Bug 1088278
VUL-1: CVE-2018-9252: jasper: Denial of service via a reachable assertion in the function jpc_abstorelstepsize in libjasper/jpc/jpc_enc.c.
Last modified: 2023-12-20 14:50:11 UTC
CVE-2018-9252 JasPer 2.0.14 allows denial of service via a reachable assertion in the function jpc_abstorelstepsize in libjasper/jpc/jpc_enc.c. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9252 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-9252.html https://github.com/mdadams/jasper/issues/173
PoC triggers on Leap 42.3 / SLE-12. kbabioch@aquarius:~ $ jasper --input Downloads/jpc_abstorelstepsize_Assertion_poc --input-format jpc --output out.jp2 --output-format jp2 jasper: jpc_enc.c:186: jpc_abstorelstepsize: Assertion `!((expn) & (~0x1f))' failed. [1] 7192 abort (core dumped) jasper --input Downloads/jpc_abstorelstepsize_Assertion_poc --input-format jp
Created attachment 766090 [details] Reproducer
Fix https://github.com/jasper-software/jasper/commit/6cd1e1d8aff56d0d86d4e7d1e7e3e4dd1c64b55d jasper-CVE-2018-9252.patch in home:mvetter:jasper-cves. Will submit once more issues are fixed.
SUSE-SU-2020:2690-1: An update that fixes 17 vulnerabilities is now available. Category: security (low) Bug References: 1010786,1010979,1010980,1011829,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1092115,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9397,CVE-2016-9398,CVE-2016-9399,CVE-2016-9557,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9154,CVE-2018-9252 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): jasper-1.900.14-195.22.1 SUSE Linux Enterprise Server 12-SP5 (src): jasper-1.900.14-195.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2689-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 JIRA References: Sources used: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): jasper-2.0.14-3.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1517-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 JIRA References: Sources used: openSUSE Leap 15.1 (src): jasper-2.0.14-lp151.4.9.1
openSUSE-SU-2020:1523-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 JIRA References: Sources used: openSUSE Leap 15.2 (src): jasper-2.0.14-lp152.7.3.1
Done, closing.
This is an autogenerated message for OBS integration: This bug (1088278) was mentioned in https://build.opensuse.org/request/show/1121278 Factory / jasper