There is a reachable assertion abort in the function jpc_dec_process_siz() in jpc/jpc_dec.c:1296 in JasPer 2.0.12 that will lead to a denial of service attack.
Created jasper tracking bugs for this issue:
Affects: fedora-all [bug 1434464]
Created mingw-jasper tracking bugs for this issue:
Affects: epel-7 [bug 1434465]
Affects: fedora-all [bug 1434467]
This issue, along with the related CVE-2017-13746 (bug 1488959) was now reported upstream via:
Note that the two assertions triggered in the jpc_dec_process_siz() function were only introduced in Jasper version 2.0.12 and hence these CVEs are not applicable to older versions.
Fixed upstream in jasper 2.0.17.