openSUSE Security Update: Security update for jasper ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:1034-1 Rating: moderate References: #1015400 #1018088 #1020353 #1021868 #1029497 Cross-References: CVE-2016-10251 CVE-2016-9583 CVE-2016-9600 CVE-2017-5498 CVE-2017-6850 Affected Products: openSUSE Leap 42.2 openSUSE Leap 42.1 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for jasper fixes the following issues: Security issues fixed: - CVE-2016-9600: Null Pointer Dereference due to missing check for UNKNOWN color space in JP2 encoder (bsc#1018088) - CVE-2016-10251: Use of uninitialized value in jpc_pi_nextcprl (jpc_t2cod.c) (bsc#1029497) - CVE-2017-5498: left-shift undefined behaviour (bsc#1020353) - CVE-2017-6850: NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c) (bsc#1021868) - CVE-2016-9583: Out of bounds heap read in jpc_pi_nextpcrl() (bsc#1015400) This update was imported from the SUSE:SLE-12:Update update project. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-478=1 - openSUSE Leap 42.1: zypper in -t patch openSUSE-2017-478=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (i586 x86_64): jasper-1.900.14-175.3.1 jasper-debuginfo-1.900.14-175.3.1 jasper-debugsource-1.900.14-175.3.1 libjasper-devel-1.900.14-175.3.1 libjasper1-1.900.14-175.3.1 libjasper1-debuginfo-1.900.14-175.3.1 - openSUSE Leap 42.2 (x86_64): libjasper1-32bit-1.900.14-175.3.1 libjasper1-debuginfo-32bit-1.900.14-175.3.1 - openSUSE Leap 42.1 (i586 x86_64): jasper-1.900.14-176.1 jasper-debuginfo-1.900.14-176.1 jasper-debugsource-1.900.14-176.1 libjasper-devel-1.900.14-176.1 libjasper1-1.900.14-176.1 libjasper1-debuginfo-1.900.14-176.1 - openSUSE Leap 42.1 (x86_64): libjasper1-32bit-1.900.14-176.1 libjasper1-debuginfo-32bit-1.900.14-176.1 References: https://www.suse.com/security/cve/CVE-2016-10251.html https://www.suse.com/security/cve/CVE-2016-9583.html https://www.suse.com/security/cve/CVE-2016-9600.html https://www.suse.com/security/cve/CVE-2017-5498.html https://www.suse.com/security/cve/CVE-2017-6850.html https://bugzilla.suse.com/1015400 https://bugzilla.suse.com/1018088 https://bugzilla.suse.com/1020353 https://bugzilla.suse.com/1021868 https://bugzilla.suse.com/1029497