An assertion failure was possible to trigger in jpc_floorlog2. CVE assignment: http://seclists.org/oss-sec/2016/q4/441
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1396987] Affects: epel-7 [bug 1396989]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1396986] Affects: epel-5 [bug 1396988]
Original reporter's advisory: https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure/ Upstream bug report: https://github.com/mdadams/jasper/issues/71 Test case: https://github.com/asarubbo/poc/blob/master/00023-jasper-assert-jpc_floorlog2 This issue has not been fixed upstream yet - the issue is reproducible with the current git master, hence still affecting upstream version 2.0.1.
Quoting relevant part of the original reporter's advisory for posterity: Affected version: 1.900.17 Output/failure: imginfo: /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_math.c:94: int jpc_floorlog2(int): Assertion `x > 0′ failed. Commit fix: N/A Fixed version: N/A Testcase: https://github.com/asarubbo/poc/blob/master/00023-jasper-assert-jpc_floorlog2 CVE: CVE-2016-9398
Remains unfixed in 2.0.11.
Upstream commit: https://github.com/jasper-software/jasper/commit/c6f9fb6ec7fc97a5c4213f9077faf8622685d160 The issue was fixed upstream in jasper 2.0.17.
*** Bug 1488960 has been marked as a duplicate of this bug. ***
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2016-9398