Bug 1488960 (CVE-2017-13747) - CVE-2017-13747 jasper: reachable assertion in jpc_floorlog2()
Summary: CVE-2017-13747 jasper: reachable assertion in jpc_floorlog2()
Keywords:
Status: CLOSED DUPLICATE of bug 1396980
Alias: CVE-2017-13747
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1434464 1434465 1434467 1485282 1910582
Blocks: 1449402
TreeView+ depends on / blocked
 
Reported: 2017-09-06 13:56 UTC by Andrej Nemec
Modified: 2020-12-28 21:51 UTC (History)
15 users (show)

Fixed In Version: jasper 2.0.17
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-12-28 21:40:36 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2017-09-06 13:56:49 UTC 
There is a reachable assertion abort in the function jpc_floorlog2() in jpc/jpc_math.c in JasPer 2.0.12 that will lead to a denial of service attack.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1485282
Comment 1 Andrej Nemec 2017-09-06 14:07:52 UTC 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1434464]


Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1434465]
Affects: fedora-all [bug 1434467]
Comment 2 Tomas Hoger 2017-12-05 13:20:50 UTC 
This CVE is for the same reachable assertion as CVE-2016-9398 (bug 1396980).  Upstream bug report is:

https://github.com/mdadams/jasper/issues/71

The issue remains unfixed in the current upstream version 2.0.14.
Comment 5 Tomas Hoger 2020-12-28 21:38:45 UTC 
Upstream commit:

https://github.com/jasper-software/jasper/commit/c6f9fb6ec7fc97a5c4213f9077faf8622685d160

The issue was fixed upstream in jasper 2.0.17.
Comment 6 Tomas Hoger 2020-12-28 21:40:36 UTC 
This is a duplicate of CVE-2016-9398.

*** This bug has been marked as a duplicate of bug 1396980 ***
Note You need to log in before you can comment on or make changes to this bug.