I was fount that JasPer allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted image, related to the jp2_decode function in libjasper/jp2/jp2_dec.c. Upstream issue: https://github.com/mdadams/jasper/issues/140
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1463998] Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1463997] Affects: fedora-all [bug 1463999]
Further issue analysis details noted in the upstream bug report: https://github.com/mdadams/jasper/issues/140#issuecomment-312874384
Upstream commit: https://github.com/jasper-software/jasper/commit/839b1bcf0450ff036c28e8db40a7abf886e02891 Fixed upstream in jasper 2.0.17.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-9782