JasPer Multiple Denial of Service Vulnerabilities

JasPer is prone to multiple denial-of-service vulnerabilities.

Successfully exploiting these issues allows remote attackers to cause denial-of-service conditions.

Information

Bugtraq ID: 100514
Class: Failure to Handle Exceptional Conditions
CVE: CVE-2017-13745
CVE-2017-13746
CVE-2017-13747
CVE-2017-13748
CVE-2017-13749
CVE-2017-13750
CVE-2017-13751
CVE-2017-13752
CVE-2017-13753

Remote: Yes
Local: No
Published: Aug 29 2017 12:00AM
Updated: Jan 16 2019 06:00AM
Credit: OWL337.
Vulnerable: Oracle Outside In Technology 8.5.3
JasPer JasPer 2.0.12

Not Vulnerable:

Exploit

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

References:

• Bug 1485274 - There is a reachable assertion abort in function jpc_dec_process_ (Redhat)
  
• Bug 1485280 - There is a reachable assertion abort in function jpc_dec_process_ (Redhat)
  
• Bug 1485272 - There is a reachable assertion abort in function JPC_NOMINALGAIN() (Redhat)
  
• Bug 1485276 - There is a reachable assertion abort in function jpc_dequantize() (Redhat)
  
• Bug 1485282 - There is a reachable assertion abort in function jpc_floorlog2() o (Redhat)
  
• Bug 1485283 - There is a reachable assertion abort in function calcstepsizes() o (Redhat)
  
• Bug 1485285 - There is a reachable assertion abort in function jpc_pi_nextrpcl() (Redhat)
  
• Bug 1485286 - There is a reachable assertion abort in function jpc_dec_process_s (Redhat)
  
• Bug 1485287 - There are lots of memory leaks in JasPer which is trigged in funct (Redhat)
  
• Oracle Critical Patch Update Advisory - January 2019 (Oracle)
  

Source: www.securityfocus.com