1218802 – (CVE-2023-51257) VUL-0: CVE-2023-51257: jasper: invalid memory write on jas_icctxt_input in jas_icc.c

Bug 1218802 (CVE-2023-51257) - VUL-0: CVE-2023-51257: jasper: invalid memory write on jas_icctxt_input in jas_icc.c

Summary: VUL-0: CVE-2023-51257: jasper: invalid memory write on jas_icctxt_input in ja...

Status:	IN_PROGRESS

Alias:	CVE-2023-51257

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/391193/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-51257:4.8:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-01-15 09:50 UTC by SMASH SMASH
Modified:	2024-02-06 07:50 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-01-15 09:50:28 UTC

A flaw was found due to invalid memory write in jasper due to missing range check in the JPC encoder.

Refer:
https://bugs.gentoo.org/922075

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51257
https://bugzilla.redhat.com/show_bug.cgi?id=2258400
https://github.com/jasper-software/jasper/issues/367

Patch:
https://github.com/jasper-software/jasper/commit/aeef5293c978158255ad4f127089644745602f2a

Comment 1 Andrea Mattiazzo 2024-01-15 09:51:48 UTC

Tracking as affected:
- SUSE:ALP:Source:Standard:1.0/jasper
- SUSE:SLE-12:Update/jasper
- SUSE:SLE-15:Update/jasper

Comment 2 Michael Vetter 2024-01-15 10:33:10 UTC

SR#1138803 to Factory to add bug number
SR#317884 to SUSE:ALP:Source:Standard:1.0
SR#317887 to SUSE_SLE-12_Update
SR#317889 to SUSE_SLE-15_Update

Comment 4 OBSbugzilla Bot 2024-01-15 11:35:04 UTC

This is an autogenerated message for OBS integration:
This bug (1218802) was mentioned in
https://build.opensuse.org/request/show/1138803 Factory / jasper

Comment 5 Maintenance Automation 2024-01-26 12:30:04 UTC

SUSE-SU-2024:0241-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218802
CVE References: CVE-2023-51257
Sources used:
openSUSE Leap 15.5 (src): jasper-2.0.14-150000.3.31.1
Basesystem Module 15-SP5 (src): jasper-2.0.14-150000.3.31.1
Desktop Applications Module 15-SP5 (src): jasper-2.0.14-150000.3.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Maintenance Automation 2024-01-26 12:30:06 UTC

SUSE-SU-2024:0240-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218802
CVE References: CVE-2023-51257
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): jasper-1.900.14-195.37.1
SUSE Linux Enterprise Server 12 SP5 (src): jasper-1.900.14-195.37.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): jasper-1.900.14-195.37.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): jasper-1.900.14-195.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.