Bug 2133696 (CVE-2022-40755)

Summary: CVE-2022-40755 jasper: Reachable assertion in inttobits, jas_image.c
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: erik-fedora, jburrell, jridky, manisandro, rh-spice-bugs, rjones
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in JasPer. A reachable assertion in the inttobits function in libjasper/base/jas_image.c, leads to a denial of service.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2133697, 2133698, 2133699, 2133700, 2138350, 2138351, 2138352    
Bug Blocks: 2128495    

Description Sandipan Roy 2022-10-11 08:08:25 UTC
JasPer 3.0.6 allows denial of service via a reachable assertion in the function inttobits in libjasper/base/jas_image.c.

https://github.com/jasper-software/jasper/issues/338

Comment 1 Sandipan Roy 2022-10-11 08:12:54 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-35 [bug 2133697]
Affects: fedora-36 [bug 2133699]


Created mingw-jasper tracking bugs for this issue:

Affects: fedora-35 [bug 2133698]
Affects: fedora-36 [bug 2133700]