|
|
| Problem Description |
Multiple security vulnerabilities has been identified and fixed
in jasper:
The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer
JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted
attackers to cause a denial of service (crash) and possibly corrupt
the heap via malformed image files, as originally demonstrated using
imagemagick convert (CVE-2007-2721).
Multiple integer overflows in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via a crafted
image file, related to integer multiplication for memory allocation
(CVE-2008-3520).
The jas_stream_tmpfile function in libjasper/base/jas_stream.c in
JasPer 1.900.1 allows local users to overwrite arbitrary files via
a symlink attack on a tmp.XXXXXXXXXX temporary file (CVE-2008-3521).
Buffer overflow in the jas_stream_printf function in
libjasper/base/jas_stream.c in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via
vectors related to the mif_hdr_put function and use of vsprintf
(CVE-2008-3522).
The updated packages have been patched to prevent this.
| Updated Packages |
Mandriva Enterprise Server 5
65be0f80702a82e764c61805d327b498 mes5/i586/jasper-1.900.1-4.2mdvmes2009.0.i586.rpm dad6f9fe7a3e34d58408068b2203df97 mes5/i586/libjasper1-1.900.1-4.2mdvmes2009.0.i586.rpm f628a7ae56773d45ef2bf6f1965e6915 mes5/i586/libjasper1-devel-1.900.1-4.2mdvmes2009.0.i586.rpm cdd85d00b6236fa78ba29a741080c780 mes5/i586/libjasper1-static-devel-1.900.1-4.2mdvmes2009.0.i586.rpm c27ccae2e89a1c0b7e785c475e6c8741 mes5/SRPMS/jasper-1.900.1-4.2mdvmes2009.0.src.rpm
Mandriva Enterprise Server 5/X86_64
91583c2f79ffb59d66eb9d7d8361a91a mes5/x86_64/jasper-1.900.1-4.2mdvmes2009.0.x86_64.rpm 3af36a7c96312a184f548a3c929b9e7b mes5/x86_64/lib64jasper1-1.900.1-4.2mdvmes2009.0.x86_64.rpm 3b4a398cc3713fc70e67c78fcc28642d mes5/x86_64/lib64jasper1-devel-1.900.1-4.2mdvmes2009.0.x86_64.rpm 980c64c57ce98446a5e8c283bb19e94b mes5/x86_64/lib64jasper1-static-devel-1.900.1-4.2mdvmes2009.0.x86_64.rpm c27ccae2e89a1c0b7e785c475e6c8741 mes5/SRPMS/jasper-1.900.1-4.2mdvmes2009.0.src.rpm
| References |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3521
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2721
| Upgrade |
To upgrade automatically, use MandrivaUpdate.
| Verification |
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.