U radu programskog paketa Jasper uočena su dva nova sigurnosna nedostatka. Radi se o propustima koje udaljeni napadač može iskoristiti za napad uskraćivanjem usluga (DoS) te proizvoljno pokretanje programskog koda.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:189
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : jasper
 Date    : December 16, 2011
 Affected: 2010.1, 2011., Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in jasper:
 
 Heap-based buffer overflow in the jpc_cox_getcompparms function in
 libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to
 execute arbitrary code or cause a denial of service (memory corruption)
 via a crafted numrlvls value in a JPEG2000 file (CVE-2011-4516).
 
 The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer
 1.900.1 uses an incorrect data type during a certain size calculation,
 which allows remote attackers to trigger a heap-based buffer overflow
 and execute arbitrary code, or cause a denial of service (heap memory
 corruption), via a malformed JPEG2000 file (CVE-2011-4517).
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4517
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.1:
 e494dad90e889530c86071f3ffdc2144 
2010.1/i586/jasper-1.900.1-12.1mdv2010.2.i586.rpm
 b2b08a6ecacf2d26d032b1e65ebf390d 
2010.1/i586/libjasper1-1.900.1-12.1mdv2010.2.i586.rpm
 71a43faf4f98f4c8220c377691fc6d7c 
2010.1/i586/libjasper-devel-1.900.1-12.1mdv2010.2.i586.rpm
 002cc21e456874c4927eb0d87c946b98 
2010.1/i586/libjasper-static-devel-1.900.1-12.1mdv2010.2.i586.rpm 
 1cda18f770486d728dc15efdcecc177d 
2010.1/SRPMS/jasper-1.900.1-12.1mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 420fb525b80f6921f36a5bdf89e7163e 
2010.1/x86_64/jasper-1.900.1-12.1mdv2010.2.x86_64.rpm
 9ecae54e76c3e3320ba1837d623c0fbf 
2010.1/x86_64/lib64jasper1-1.900.1-12.1mdv2010.2.x86_64.rpm
 8f8690f72954f4d33e14b5a61dab39af 
2010.1/x86_64/lib64jasper-devel-1.900.1-12.1mdv2010.2.x86_64.rpm
 f08f66c77a6bd13aa9e1d642bd38a756 
2010.1/x86_64/lib64jasper-static-devel-1.900.1-12.1mdv2010.2.x86_64.rpm 
 1cda18f770486d728dc15efdcecc177d 
2010.1/SRPMS/jasper-1.900.1-12.1mdv2010.2.src.rpm

 Mandriva Linux 2011:
 2ca7cc26dc24d01d159200db795c4f62 
2011/i586/jasper-1.900.1-12.1-mdv2011.0.i586.rpm
 25681b4aeccde3e9b85b4f565870853f 
2011/i586/libjasper1-1.900.1-12.1-mdv2011.0.i586.rpm
 fc559da2f2ed5264c7ca37fe313f5979 
2011/i586/libjasper-devel-1.900.1-12.1-mdv2011.0.i586.rpm
 81cf761c980e151a2a804f1fad5be109 
2011/i586/libjasper-static-devel-1.900.1-12.1-mdv2011.0.i586.rpm 
 e2bbe335c556a330f7993c6119c8d6cc  2011/SRPMS/jasper-1.900.1-12.1.src.rpm

 Mandriva Linux 2011/X86_64:
 136e4a0960f038fb1d043afc146260ff 
2011/x86_64/jasper-1.900.1-12.1-mdv2011.0.x86_64.rpm
 bcf658437206939760149448524eceb9 
2011/x86_64/lib64jasper1-1.900.1-12.1-mdv2011.0.x86_64.rpm
 72d5f142060403ca344c2f0311258381 
2011/x86_64/lib64jasper-devel-1.900.1-12.1-mdv2011.0.x86_64.rpm
 d8b8311ec34971e7908c1b2bccb671c9 
2011/x86_64/lib64jasper-static-devel-1.900.1-12.1-mdv2011.0.x86_64.rpm 
 e2bbe335c556a330f7993c6119c8d6cc  2011/SRPMS/jasper-1.900.1-12.1.src.rpm

 Mandriva Enterprise Server 5:
 8bf49dec9c4e4890e3e989ff8fc3bb19 
mes5/i586/jasper-1.900.1-4.3mdvmes5.2.i586.rpm
 bccebb05fb7594cae930ba03ee527039 
mes5/i586/libjasper1-1.900.1-4.3mdvmes5.2.i586.rpm
 35b631ab6c5f153c1e2d273142d385f3 
mes5/i586/libjasper1-devel-1.900.1-4.3mdvmes5.2.i586.rpm
 c01ebaa0319a5bd480a69f3f7d84f35a 
mes5/i586/libjasper1-static-devel-1.900.1-4.3mdvmes5.2.i586.rpm 
 8da90dd5afaeb2aaf09daad2f97d83ab 
mes5/SRPMS/jasper-1.900.1-4.3mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 8c1aed6122fa87a6341ef2d8282f4390 
mes5/x86_64/jasper-1.900.1-4.3mdvmes5.2.x86_64.rpm
 83d3051efaa4e26793bea89775e2d461 
mes5/x86_64/lib64jasper1-1.900.1-4.3mdvmes5.2.x86_64.rpm
 9f7ed89204edddde7b443e7fac61fe2b 
mes5/x86_64/lib64jasper1-devel-1.900.1-4.3mdvmes5.2.x86_64.rpm
 41d45d8a0ca083a26eed5b213cfd7a79 
mes5/x86_64/lib64jasper1-static-devel-1.900.1-4.3mdvmes5.2.x86_64.rpm 
 8da90dd5afaeb2aaf09daad2f97d83ab 
mes5/SRPMS/jasper-1.900.1-4.3mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFO6x1nmqjQ0CJFipgRAkhTAJ0bHHUFiodH4z69bX/yKE68Vq3+JQCdEPQm
cE1/h3Xv/zQWnadBoHy4OcY=
=DYuC
-----END PGP SIGNATURE-----