Bugzilla – Bug 1181483
VUL-1: CVE-2021-3272: jasper: heap-based buffer over-read in jp2_decode in jp2/jp2_dec.c
Last modified: 2021-09-13 10:31:22 UTC
CVE-2021-3272 jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3272 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3272 https://github.com/jasper-software/jasper/issues/259
All our supported versions of jasper are missing a check for the number of channels and components. Fortunately the source code hasn't changed much and the upstream patch applies cleanly: https://github.com/jasper-software/jasper/commit/49174ab592cdfa6f1a929a2ee3d4b4976f9459fd SUSE:SLE-11:Update Affected SUSE:SLE-12:Update Affected SUSE:SLE-15:Update Affected
This is an autogenerated message for OBS integration: This bug (1181483) was mentioned in https://build.opensuse.org/request/show/870221 Factory / jasper
SRs accepted.
SUSE-SU-2021:14627-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1179748,1181483 CVE References: CVE-2020-27828,CVE-2021-3272 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): jasper-1.900.14-134.33.20.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): jasper-1.900.14-134.33.20.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): jasper-1.900.14-134.33.20.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): jasper-1.900.14-134.33.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:0489-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1179748,1181483 CVE References: CVE-2020-27828,CVE-2021-3272 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): jasper-1.900.14-195.25.1 SUSE OpenStack Cloud Crowbar 8 (src): jasper-1.900.14-195.25.1 SUSE OpenStack Cloud 9 (src): jasper-1.900.14-195.25.1 SUSE OpenStack Cloud 8 (src): jasper-1.900.14-195.25.1 SUSE OpenStack Cloud 7 (src): jasper-1.900.14-195.25.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): jasper-1.900.14-195.25.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): jasper-1.900.14-195.25.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): jasper-1.900.14-195.25.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): jasper-1.900.14-195.25.1 SUSE Linux Enterprise Server 12-SP5 (src): jasper-1.900.14-195.25.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): jasper-1.900.14-195.25.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): jasper-1.900.14-195.25.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): jasper-1.900.14-195.25.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): jasper-1.900.14-195.25.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): jasper-1.900.14-195.25.1 HPE Helion Openstack 8 (src): jasper-1.900.14-195.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:0488-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1179748,1181483 CVE References: CVE-2020-27828,CVE-2021-3272 JIRA References: Sources used: SUSE Manager Server 4.0 (src): jasper-2.0.14-3.19.1 SUSE Manager Retail Branch Server 4.0 (src): jasper-2.0.14-3.19.1 SUSE Manager Proxy 4.0 (src): jasper-2.0.14-3.19.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): jasper-2.0.14-3.19.1 SUSE Linux Enterprise Server for SAP 15 (src): jasper-2.0.14-3.19.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): jasper-2.0.14-3.19.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): jasper-2.0.14-3.19.1 SUSE Linux Enterprise Server 15-LTSS (src): jasper-2.0.14-3.19.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): jasper-2.0.14-3.19.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): jasper-2.0.14-3.19.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): jasper-2.0.14-3.19.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): jasper-2.0.14-3.19.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): jasper-2.0.14-3.19.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): jasper-2.0.14-3.19.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): jasper-2.0.14-3.19.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): jasper-2.0.14-3.19.1 SUSE Enterprise Storage 6 (src): jasper-2.0.14-3.19.1 SUSE CaaS Platform 4.0 (src): jasper-2.0.14-3.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0303-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1179748,1181483 CVE References: CVE-2020-27828,CVE-2021-3272 JIRA References: Sources used: openSUSE Leap 15.2 (src): jasper-2.0.14-lp152.7.6.1
released