CVE-2017-13748
published 2017-08-29CVE-2017-13748: There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a remote denial of service…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
4.68%
90.6th percentile
There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a remote denial of service attack.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| jasper_project | jasper | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qjc6-xfwj-2cxr: There are lots of memory leaks in JasPer 2
ghsa_unreviewed·2022-05-13
CVE-2017-13748 [HIGH] CWE-772 GHSA-qjc6-xfwj-2cxr: There are lots of memory leaks in JasPer 2
There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a remote denial of service attack.
OSV
CVE-2017-13748: There are lots of memory leaks in JasPer 2
osv·2017-08-29·CVSS 7.5
CVE-2017-13748 [HIGH] CVE-2017-13748: There are lots of memory leaks in JasPer 2
There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a remote denial of service attack.
Red Hat
jasper: tile memory not released on image parsing errors
vendor_redhat·2017-08-25·CVSS 7.5
CVE-2017-13748 [HIGH] CWE-772 jasper: tile memory not released on image parsing errors
jasper: tile memory not released on image parsing errors
There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a remote denial of service attack.
Package: netpbm (Red Hat Enterprise Linux 5) - Will not fix
Package: jasper (Red Hat Enterprise Linux 6) - Will not fix
Package: jasper (Red Hat Enterprise Linux 7) - Will not fix
Package: jasper (Red Hat Enterprise Linux 9) - Not affected
Package: mingw-virt-viewer (Red Hat Enterprise Virtualization 3) - Will not fix
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-20622 jasper: memory leak in jpc_dec_decodepkt()
bugzilla·2019-01-09·CVSS 7.5
CVE-2018-20622 [HIGH] CVE-2018-20622 jasper: memory leak in jpc_dec_decodepkt()
CVE-2018-20622 jasper: memory leak in jpc_dec_decodepkt()
A flaw was found in JasPer 2.0.14. A memory leak in base/jas_malloc.c in libjasper.a when "--output-format jp2" is used.
References:
https://github.com/mdadams/jasper/issues/193
Discussion:
Created jasper tracking bugs for this issue:
Affects: fedora-all [bug 1664873]
Created mingw-jasper tracking bugs for this issue:
Affects: epel-7 [bug 1664875]
Affects: fedora-all [bug 1664874]
---
The main problem demonstrated by the reproducer in the upstream bug report is a duplicate of CVE-2017-13748 (see bug 1488961). Besides the tile data memory leak, the reproducer also triggers a minor memory leak in jpc_dec_decodepkt(), which calls jpc_bitstream_sopen(), which does memory allocation, but does not do matching jpc_bitstream_clos
Bugzilla
CVE-2017-13748 jasper: tile memory not released on image parsing errors
bugzilla·2017-09-06·CVSS 7.5
CVE-2017-13748 [HIGH] CVE-2017-13748 jasper: tile memory not released on image parsing errors
CVE-2017-13748 jasper: tile memory not released on image parsing errors
There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a denial of service attack.
Product bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1485287
Discussion:
Created jasper tracking bugs for this issue:
Affects: fedora-all [bug 1434464]
Created mingw-jasper tracking bugs for this issue:
Affects: epel-7 [bug 1434465]
Affects: fedora-all [bug 1434467]
---
Reported upstream now via:
https://github.com/mdadams/jasper/issues/168
There is no bug in jas_strdup() as originally claimed, and only a fairly minor issue in the imginfo tool related to jas_strdup(), as the tool does not de-init Jasper library properly on errors. That does not real
Bugzilla
CVE-2016-10248 CVE-2016-10251 CVE-2017-1000050 CVE-2017-13745 CVE-2017-13746 CVE-2017-13747 CVE-2017-13748 CVE-2017-13749 CVE-2017-13750 CVE-2017-13751 CVE-2017-13752 CVE-2017-14132 CVE-2017-6850 CVE-
bugzilla·2017-03-21·CVSS 7.5
CVE-2016-10248 [HIGH] CVE-2016-10248 CVE-2016-10251 CVE-2017-1000050 CVE-2017-13745 CVE-2017-13746 CVE-2017-13747 CVE-2017-13748 CVE-2017-13749 CVE-2017-13750 CVE-2017-13751 CVE-2017-13752 CVE-2017-14132 CVE-2017-6850 CVE-
CVE-2016-10248 CVE-2016-10251 CVE-2017-1000050 CVE-2017-13745 CVE-2017-13746 CVE-2017-13747 CVE-2017-13748 CVE-2017-13749 CVE-2017-13750 CVE-2017-13751 CVE-2017-13752 CVE-2017-14132 CVE-2017-6850 CVE-2017-6851 ... mingw-jasper: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the re
Bugzilla
CVE-2016-10251 CVE-2017-1000050 CVE-2017-13745 CVE-2017-13746 CVE-2017-13747 CVE-2017-13748 CVE-2017-13749 CVE-2017-13750 CVE-2017-13751 CVE-2017-13752 CVE-2017-14132 CVE-2017-6850 CVE-2017-6851 CVE-2
bugzilla·2017-03-21·CVSS 7.8
CVE-2016-10251 [HIGH] CVE-2016-10251 CVE-2017-1000050 CVE-2017-13745 CVE-2017-13746 CVE-2017-13747 CVE-2017-13748 CVE-2017-13749 CVE-2017-13750 CVE-2017-13751 CVE-2017-13752 CVE-2017-14132 CVE-2017-6850 CVE-2017-6851 CVE-2
CVE-2016-10251 CVE-2017-1000050 CVE-2017-13745 CVE-2017-13746 CVE-2017-13747 CVE-2017-13748 CVE-2017-13749 CVE-2017-13750 CVE-2017-13751 CVE-2017-13752 CVE-2017-14132 CVE-2017-6850 CVE-2017-6851 CVE-2017-6852 ... mingw-jasper: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant to
Bugzilla
CVE-2016-9396 CVE-2016-9397 CVE-2016-9398 CVE-2016-9399 CVE-2017-1000050 CVE-2017-13745 CVE-2017-13746 CVE-2017-13747 CVE-2017-13748 CVE-2017-13749 CVE-2017-13750 CVE-2017-13751 CVE-2017-13752 CVE-201
bugzilla·2017-03-21·CVSS 7.5
CVE-2016-9396 [HIGH] CVE-2016-9396 CVE-2016-9397 CVE-2016-9398 CVE-2016-9399 CVE-2017-1000050 CVE-2017-13745 CVE-2017-13746 CVE-2017-13747 CVE-2017-13748 CVE-2017-13749 CVE-2017-13750 CVE-2017-13751 CVE-2017-13752 CVE-201
CVE-2016-9396 CVE-2016-9397 CVE-2016-9398 CVE-2016-9399 CVE-2017-1000050 CVE-2017-13745 CVE-2017-13746 CVE-2017-13747 CVE-2017-13748 CVE-2017-13749 CVE-2017-13750 CVE-2017-13751 CVE-2017-13752 CVE-2017-14132 ... jasper: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant t
http://www.securityfocus.com/bid/100514https://bugzilla.redhat.com/show_bug.cgi?id=1485287https://lists.debian.org/debian-lts-announce/2018/11/msg00023.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N4ALB4SXHURLVWKAOKYRNJXPABW3M22M/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPOVZTSIQPW2H4AFLMI3LHJEZGBVEQET/https://security.gentoo.org/glsa/201908-03http://www.securityfocus.com/bid/100514https://bugzilla.redhat.com/show_bug.cgi?id=1485287https://lists.debian.org/debian-lts-announce/2018/11/msg00023.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N4ALB4SXHURLVWKAOKYRNJXPABW3M22M/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPOVZTSIQPW2H4AFLMI3LHJEZGBVEQET/https://security.gentoo.org/glsa/201908-03
2017-08-29
Published