CVE-2017-5502
published 2017-03-01CVE-2017-5502: libjasper/jp2/jp2_dec.c in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via vectors involving left shift of a negative value.
PriorityP419medium5.5CVSS 3.0
AVLACLPRNUIRSUCNINAH
EPSS
1.33%
67.6th percentile
libjasper/jp2/jp2_dec.c in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via vectors involving left shift of a negative value.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jasper_project | jasper | — | — |
CVSS provenance
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv5.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c4wm-vqcp-rwww: libjasper/jp2/jp2_dec
ghsa_unreviewed·2022-05-13
CVE-2017-5502 [MEDIUM] GHSA-c4wm-vqcp-rwww: libjasper/jp2/jp2_dec
libjasper/jp2/jp2_dec.c in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via vectors involving left shift of a negative value.
OSV
CVE-2017-5502: libjasper/jp2/jp2_dec
osv·2017-03-01·CVSS 5.5
CVE-2017-5502 [MEDIUM] CVE-2017-5502: libjasper/jp2/jp2_dec
libjasper/jp2/jp2_dec.c in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via vectors involving left shift of a negative value.
Red Hat
jasper: Left shift of negative value in jp2_validate() in jp2_dec.c
vendor_redhat·2016-10-28·CVSS 5.5
CVE-2017-5502 [MEDIUM] jasper: Left shift of negative value in jp2_validate() in jp2_dec.c
jasper: Left shift of negative value in jp2_validate() in jp2_dec.c
libjasper/jp2/jp2_dec.c in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via vectors involving left shift of a negative value.
Package: netpbm (Red Hat Enterprise Linux 5) - Not affected
Package: jasper (Red Hat Enterprise Linux 6) - Not affected
Package: jasper (Red Hat Enterprise Linux 7) - Not affected
Package: mingw-virt-viewer (Red Hat Enterprise Virtualization 3) - Not affected
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-5502 jasper: Left shift of negative value in jp2_validate() in jp2_dec.c
bugzilla·2017-01-24·CVSS 5.5
CVE-2017-5502 [MEDIUM] CVE-2017-5502 jasper: Left shift of negative value in jp2_validate() in jp2_dec.c
CVE-2017-5502 jasper: Left shift of negative value in jp2_validate() in jp2_dec.c
A vulnerability was found in jasper. A crafted file could cause a left shift of negative value.
References:
http://seclists.org/oss-sec/2017/q1/101
Discussion:
Created mingw-jasper tracking bugs for this issue:
Affects: epel-7 [bug 1406409]
---
Created jasper tracking bugs for this issue:
Affects: epel-5 [bug 1406406]
---
Upstream bug report:
https://github.com/mdadams/jasper/issues/76
This issue has not been resolved upstream yet (the current upstream version is 2.0.12).
Reporter's advisory:
https://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/
Relevant information from the advisory:
With the undefined behavior sanitizer enabled, jasper crashes showing some left shift a
Bugzilla
CVE-2016-9591 CVE-2016-9600 CVE-2017-5503 CVE-2017-5504 CVE-2017-5505 mingw-jasper: various flaws [epel-7]
bugzilla·2016-12-20·CVSS 5.5
CVE-2016-9591 [MEDIUM] CVE-2016-9591 CVE-2016-9600 CVE-2017-5503 CVE-2017-5504 CVE-2017-5505 mingw-jasper: various flaws [epel-7]
CVE-2016-9591 CVE-2016-9600 CVE-2017-5503 CVE-2017-5504 CVE-2017-5505 mingw-jasper: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Adding parent
Bugzilla
CVE-2016-9591 CVE-2016-9600 CVE-2017-5503 CVE-2017-5504 CVE-2017-5505 jasper: various flaws [epel-5]
bugzilla·2016-12-20·CVSS 5.5
CVE-2016-9591 [MEDIUM] CVE-2016-9591 CVE-2016-9600 CVE-2017-5503 CVE-2017-5504 CVE-2017-5505 jasper: various flaws [epel-5]
CVE-2016-9591 CVE-2016-9600 CVE-2017-5503 CVE-2017-5504 CVE-2017-5505 jasper: various flaws [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-5.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Adding parent bug 14
2017-03-01
Published