Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2011-4516

Published: 14 December 2011

Heap-based buffer overflow in the jpc_cox_getcompparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted numrlvls value in a coding style default (COD) marker segment in a JPEG2000 file.

Notes

AuthorNote
jdstrand
test images can be found at http://www.ece.uvic.ca/~frodo/jasper/
mdeslaur
ghostscript has embedded jasper in maverick and older
Debian's netpbm-free doesn't contain jasper

Priority

Medium

Status

Package Release Status
ghostscript
Launchpad, Ubuntu, Debian
hardy
Released (8.61.dfsg.1-1ubuntu3.4)
lucid
Released (8.71.dfsg.1-0ubuntu5.4)
maverick
Released (8.71.dfsg.2-0ubuntu7.1)
natty Not vulnerable
(uses system jasper)
oneiric Not vulnerable
(uses system jasper)
upstream Needs triage

jasper
Launchpad, Ubuntu, Debian
hardy Ignored
(end of life)
lucid
Released (1.900.1-7ubuntu0.10.04.1)
maverick
Released (1.900.1-7ubuntu0.10.10.1)
natty
Released (1.900.1-7ubuntu2.11.04.1)
oneiric
Released (1.900.1-7ubuntu2.11.10.1)
upstream Needs triage

Patches:
vendor: https://rhn.redhat.com/errata/RHSA-2011-1807.html

netpbm-free
Launchpad, Ubuntu, Debian
hardy Not vulnerable
(code not present)
lucid Not vulnerable
(code not present)
maverick Not vulnerable
(code not present)
natty Not vulnerable
(code not present)
oneiric Not vulnerable
(code not present)
upstream Needs triage

Patches:

vendor: https://rhn.redhat.com/errata/RHSA-2011-1811.html