ASA-201703-9 generated external raw

[ASA-201703-9] jasper: multiple issues
Arch Linux Security Advisory ASA-201703-9 ========================================= Severity: High Date : 2017-03-14 CVE-ID : CVE-2016-8886 CVE-2016-9591 Package : jasper Type : multiple issues Remote : Yes Link : Summary ======= The package jasper before version 2.0.12-1 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 2.0.12-1. # pacman -Syu "jasper>=2.0.12-1" The problems have been fixed upstream in version 2.0.12. Workaround ========== None. Description =========== - CVE-2016-8886 (denial of service) A memory allocation failure was found in jas_malloc triggered by a crafted file that results in an application crash leading to denial of service. - CVE-2016-9591 (arbitrary code execution) A heap-use-after-free vulnerability has been found in jasper. The vulnerability exists in code responsible for re-encoding the decoded input image file to a J2P image. The vulnerability is caused by not setting related pointers to be null after the pointers are freed (i.e. missing Setting-Pointer-Null operations after free). The vulnerability can further cause double-free. Impact ====== A remote attacker is able to use specially crafted images that, when processed, lead to arbitrary code execution or application crash. References ==========