USN-2919-1 JasPer vulnerabilities


Severity

Medium

Vendor

Ubuntu, JasPer

Versions Affected
  • Ubuntu 14.04 LTS
Description

Jacob Baines discovered that JasPer incorrectly handled ICC color profiles in JPEG-2000 image files. If a user were tricked into opening a specially crafted JPEG-2000 image file, a remote attacker could cause JasPer to crash or possibly execute arbitrary code with user privileges. (CVE-2016-1577)

Tyler Hicks discovered that JasPer incorrectly handled memory when processing JPEG-2000 image files. If a user were tricked into opening a specially crafted JPEG-2000 image file, a remote attacker could cause JasPer to consume memory, resulting in a denial of service. (CVE-2016-2116)

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • All versions of Cloud Foundry rootfs prior to 1.41.0
  • All versions of Pivotal Elastic Runtime
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry deployments run with rootfs version 1.41.0 and higher
  • Upgrade Pivotal Elastic Runtime 1.5.x versions to 1.5.18 or later OR 1.6.x versions to 1.6.19 or later
Credit

Jacob Baines, Tyler Hicks

References