Multiple memory management errors in JasPer might lead to execution of arbitrary code via jpeg2k files.
|Package||media-libs/jasper on all architectures|
|Affected versions||< 1.900.1-r3|
|Unaffected versions||>= 1.900.1-r3|
The JasPer Project is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 (jpeg2k) standard.
Marc Espie and Christian Weisgerber have discovered multiple vulnerabilities in JasPer:
Remote attackers could entice a user or automated system to process specially crafted jpeg2k files with an application using JasPer, possibly leading to the execution of arbitrary code.
There is no known workaround at this time.
All JasPer users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/jasper-1.900.1-r3"
December 16, 2008
December 16, 2008: 01