CVE-2015-5203: Double Free
First published: Mon Aug 17 2015(Updated: )
A double free flaw was found in the way JasPer's jasper_image_stop_load() function parsed certain JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. Original report: <a href="http://seclists.org/oss-sec/2015/q3/366">http://seclists.org/oss-sec/2015/q3/366</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/jasper | ||
| redhat/jasper | <1.900.22 | 1.900.22 |
| Fedora | =23 | |
| Fedora | =24 | |
| Fedora | =25 | |
| openSUSE | =42.2 | |
| openSUSE | =13.1 | |
| openSUSE | =13.2 | |
| openSUSE Leap | =42.1 | |
| Jasper Reports | =1.900.17 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2015/08/16/2
- https://bugzilla.redhat.com/show_bug.cgi?id=1254242
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UNLVBZWDEXZCFWOBZ3YVEQINMRBRX5QV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3QIZNTZDXOJR5BTRZKCS3GVHVZV2PWHH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AXWV22WGSQFDRPE7G6ECGP3QXS2V2A2M/
- https://security.gentoo.org/glsa/201707-07
- https://access.redhat.com/errata/RHSA-2017:1208
- http://lists.opensuse.org/opensuse-updates/2016-11/msg00010.html
- http://lists.opensuse.org/opensuse-updates/2016-11/msg00018.html
- http://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html
- https://usn.ubuntu.com/3693-1/
- https://lists.debian.org/debian-lts-announce/2018/11/msg00023.html
- https://launchpad.net/bugs/cve/CVE-2015-5203
- https://bugzilla.redhat.com/show_bug.cgi?id=1254242#c11
- https://security-tracker.debian.org/tracker/CVE-2015-5203
- http://seclists.org/oss-sec/2015/q3/366
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1254245
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1254247
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1254244
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1254246
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1066820&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1066820&action=edit
- http://seclists.org/oss-sec/2015/q3/416
- https://git.gnome.org/browse/gdk-pixbuf/tree/gdk-pixbuf/io-jasper.c#n70
- https://bugs.archlinux.org/task/46161
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1254242#c3
- https://github.com/mdadams/jasper/commit/b35a05635e56f554870ce85f64293a3868793f69
- https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a#diff-6cf8c17c2a7595ef1481b68354696c37R379
- https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a#diff-6cf8c17c2a7595ef1481b68354696c37R357
- https://github.com/mdadams/jasper/commit/634ce8e8a5accc0fa05dd2c20d42b4749d4b2735
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1254242#c4
- https://access.redhat.com/security/cve/CVE-2016-8693
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1385507
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1254242#c11
- https://github.com/mdadams/jasper/commit/
- https://access.redhat.com/security/cve/CVE-2016-9262
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1393882
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QIZNTZDXOJR5BTRZKCS3GVHVZV2PWHH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXWV22WGSQFDRPE7G6ECGP3QXS2V2A2M/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UNLVBZWDEXZCFWOBZ3YVEQINMRBRX5QV/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5203
- https://nvd.nist.gov/vuln/detail/CVE-2015-5203
- https://ubuntu.com/security/CVE-2015-5203
Frequently Asked Questions
What is the severity of CVE-2015-5203?
The severity of CVE-2015-5203 is classified as a high-risk vulnerability due to the potential for application crashes.
How do I fix CVE-2015-5203?
To fix CVE-2015-5203, update the jasper package to version 1.900.22 or later where applicable.
Which versions of Jasper are affected by CVE-2015-5203?
CVE-2015-5203 affects Jasper versions prior to 1.900.22, including 1.900.17 and earlier.
What type of vulnerability is CVE-2015-5203?
CVE-2015-5203 is a double free flaw found in the jasper_image_stop_load() function.
Can CVE-2015-5203 lead to remote code execution?
CVE-2015-5203 does not lead to remote code execution but can cause application crashes when processing specially crafted JPEG 2000 files.
- agent/type
- agent/first-publish-date
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-5203
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/event
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/debian
- package-manager/redhat
- vendor/fedoraproject
- canonical/fedora
- version/fedora/23
- version/fedora/24
- version/fedora/25
- vendor/opensuse
- canonical/opensuse
- version/opensuse/42.2
- version/opensuse/13.1
- version/opensuse/13.2
- vendor/opensuse project
- canonical/opensuse leap
- version/opensuse leap/42.1
- vendor/jasper project
- canonical/jasper reports
- version/jasper reports/1.900.17