JasPer 2.0.14 allows remote attackers to cause a denial of service (application hang) via an attempted conversion to the jp2 format References: https://github.com/mdadams/jasper/issues/192
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1664865] Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1664867] Affects: fedora-all [bug 1664866]
I'm not able to reproduce this problem using using any jasper version, including upstream 2.0.14 that is claimed to be affected. Upstream issue contains archive with multiple test files, some of which take a little longer to process - in my case that's about 3-4 seconds. I would not classify that as hang, unclear if that's what the reporter meant.
This was determined as not reproducible / invalid in the jasper-maint fork of jasper: https://github.com/jasper-maint/jasper/issues/19