Some vulnerabilities have been reported in JasPer, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library, and by malicious, local users to perform certain actions with escalated privileges.

1) A vulnerability is caused due to an error in the "jpc_qcx_getcompparms" function when processing JP2 files and can be exploited to crash an application using the library.

2) Various integer overflows errors are reported, which potentially can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into processing a specially crafted file in an application using the library.

3) A boundary error exists within the "jas_stream_printf()" function in src/libjasper/base/jas_stream.c. This can be exploited to cause a stack-based buffer overflow and potentially allows the execution of arbitrary code if an application uses this function to process unsanitised, user supplied data.

4) An error exists when handling temporary files within the "jas_stream_tmpfile()" function in src/libjasper/base/jas_stream.c. This can be exploited to overwrite arbitrary files via race condition and symlink attacks with the privileges of the user running the application.

The vulnerabilities are reported in version 1.900.1. Other versions may also be affected.

Solution
Do not open untrusted files with an application using JasPer.
Further details available in Customer Area

Provided and/or discovered by
1) Reported via a Debian bug report.
2, 3) Red Hat credits Marc Espie and Christian Weisgerber, OpenBSD.
4) Gentoo credits Marc Espie and Christian Weisgerber, OpenBSD.

Changelog
Further details available in Customer Area

Original Advisory
1) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413041
2) https://bugzilla.redhat.com/show_bug.cgi?id=461476
3) https://bugzilla.redhat.com/show_bug.cgi?id=461478
4) http://bugs.gentoo.org/show_bug.cgi?id=222819

Deep Links
Links available in Customer Area