Memory leak in jas_iccprof_createfrombuf function in JasPer 1.900.1 and earlier was found, allowing remote attackers to cause a denial of service (memory consumption) via a crafted ICC color profile in a JPEG 2000 image file. Vulnerable code: src/libjasper/base/jas_icc.c: 1685 jas_iccprof_t *jas_iccprof_createfrombuf(uchar *buf, int len) 1686 { 1687 jas_stream_t *in; 1688 jas_iccprof_t *prof; 1689 if (!(in = jas_stream_memopen(JAS_CAST(char *, buf), len))) 1690 goto error; 1691 if (!(prof = jas_iccprof_load(in))) 1692 goto error; 1693 jas_stream_close(in); 1694 return prof; 1695 error: 1696 return 0; 1697 } jas_stream_t allocated by the call to jas_stream_memopen() is leaked if jas_iccprof_load() fails on line 1691. Proposed patch: http://seclists.org/oss-sec/2016/q1/att-507/CVE-2016-2116.patch Public via (contains crash report): http://seclists.org/oss-sec/2016/q1/507
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1314474] Affects: epel-7 [bug 1314476]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1314473] Affects: epel-5 [bug 1314475]
jasper-1.900.1-33.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-33.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Fix was integrated upstream in version 1.900.2: https://github.com/mdadams/jasper/commit/142245b9bbb33274a7c620aa7a8f85bc00b2d68e
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208