CVE-2016-9392

Vulnerability

JasPer before version 1.900.17 contains an assertion failure vulnerability in the calcstepsizes function within jpc_dec.c. An attacker can trigger this flaw by supplying a specially crafted JPEG-2000 image file that causes the function to assert when processing step sizes. The code path is reachable when the library or a utility such as imginfo parses the malformed file. [Description]

Exploitation

No authentication or special privileges are required. An attacker only needs to deliver a crafted JPEG-2000 image to a system using JasPer, for example via email attachment, web download, or file upload. If the file is opened by a JasPer-based application or a command-line tool, the assertion failure causes the process to crash, leading to a denial of service. No code execution is indicated in the available sources.

Impact

The impact is a denial of service caused by an assertion failure that terminates the JasPer process. Confidentiality and integrity are unaffected; availability is degraded. The scope is limited to the application using JasPer, which may be a library used by other software.

Mitigation

The vulnerability is fixed in JasPer version 1.900.17. Red Hat Enterprise Linux 7 and 6 provide updated packages to versions 1.900.1-30.el7_3 and 1.900.1-21.el6_9, respectively [1]. Ubuntu 16.04 LTS includes libjasper1 version 1.900.1-debian1-2 [2]. Users should update to the patched version supplied by their distribution or compile from the upstream source.