Skip to content
This repository has been archived by the owner on Mar 16, 2022. It is now read-only.

1.123.0
Compare
Choose a tag to compare
@cf-buildpacks-eng cf-buildpacks-eng released this 18 May 21:16
· 169 commits to master since this release
1.123.0
a0110fc

Notably, this release addresses:

USN-3295-1 Ubuntu Security Notice USN-3295-1:

  • CVE-2016-10249: Integer overflow in the jpc_dec_tiledecode function in jpc_dec.c in JasPer before 1.900.12 allows remote attackers to have unspecified impact via a crafted image file, which triggers a heap-based buffer overflow.
  • CVE-2016-10251: Integer overflow in the jpc_pi_nextcprl function in jpc_t2cod.c in JasPer before 1.900.20 allows remote attackers to have unspecified impact via a crafted file, which triggers use of an uninitialized value.
  • CVE-2016-1867: The jpc_pi_nextcprl function in JasPer 1.900.1 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG 2000 image.
  • CVE-2016-2089: The jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted JPEG 2000 image.
  • CVE-2016-8654: Heap-based buffer overflow in QMFB code in JPC codec
  • CVE-2016-8691: The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted XRsiz value in a BMP image to the imginfo command.
  • CVE-2016-8692: The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted YRsiz value in a BMP image to the imginfo command.
  • CVE-2016-8693: Double free vulnerability in the mem_close function in jas_stream.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image to the imginfo command.
  • CVE-2016-8882: The jpc_dec_tilefini function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file.
  • CVE-2016-9560: Stack-based buffer overflow in the jpc_tsfb_getbands2 function in jpc_tsfb.c in JasPer before 1.900.30 allows remote attackers to have unspecified impact via a crafted image.
  • CVE-2016-9591: Use-after-free on heap in jas_matrix_destroy
-ii  libjasper-dev    1.900.1-14ubuntu3.3  amd64  Development files for the JasPer JPEG-2000 library
-ii  libjasper1:amd64 1.900.1-14ubuntu3.3  amd64  JasPer JPEG-2000 runtime library
+ii  libjasper-dev    1.900.1-14ubuntu3.4  amd64  Development files for the JasPer JPEG-2000 library
+ii  libjasper1:amd64 1.900.1-14ubuntu3.4  amd64  JasPer JPEG-2000 runtime library
Assets 3
Loading