Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 16 Jan 2017 19:06:47 -0500
From: <cve-assign@...re.org>
To: <ago@...too.org>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: jasper: multiple crashes with UBSAN

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/

> [] jasper-1.900.17/src/libjasper/include/jasper/jas_math.h:156:11
> runtime error: left shift of negative value -185

Use CVE-2017-5498.


> [] jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1838:9
> runtime error: signed integer overflow: -64356352 * 6359082673847140352 cannot
> be represented in type 'long'

Use CVE-2017-5499.


> [] jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1819:40
> runtime error: shift exponent 117 is too large for 64-bit type 'jpc_fix_t'
> (aka 'long')

Use CVE-2017-5500.


> [] jasper-1.900.17/src/libjasper/jpc/jpc_tsfb.c:233:35
> runtime error: signed integer overflow: 2013306369 + 251691968 cannot be
> represented in type 'int'

Use CVE-2017-5501.


> [] jasper-1.900.17/src/libjasper/jp2/jp2_dec.c:485:49
> runtime error: left shift of negative value -26

Use CVE-2017-5502.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYfV+HAAoJEHb/MwWLVhi29L0P/RqDlicXsi+o1z9ZFsl+bmfO
yChkhBebWjCWyRlvQjce8JlYxpwK1sRSD1j+7tkoSkRbkBwuDPswg07l7xx4/N74
B0MJpzC0XZe+7QmngkB5M29L8UY/qJ4E1WNu9ztMvbZCAimW9JR9Kbar3ptzIlD8
C0bMFhIRiPkhrnxqzSkQHLVUXVr5I3KC4RHh6qWkFa9TnEUyD52MAjYb4sSPjmMH
sqz9omf5+mt3g0gfjC/UMOwXx2j+s8EwQ9sslFhqKz+CCvj17zXlpXZt6yVpltBl
beZ6amDVoEQ4lSjoLoI5tfpCAD5DdgXQHDaNFcyCcgUd8uCqhbpPFngbWPnISgDY
tdify6oI9K5t1hnEkYjE2RLLexB6DoQ3l7xOv98lY5YN3isoxliA76AYS+74/sJ5
d2/bVoeybQ/T/0BFbNOKP1fEUjoVVv/XCR6+fJOu0ABQ10ELWBPqzNNzd6fcvLon
suXIQ7xwQfb3vRbwY8uERZugs9W04SxWe8FIHjmjskCSDgnPRgIGPki+yUvg1WwO
s9Xq9GCrdwsnFH0PwCHpAF/AHcuuFJBda0W9NzEKXHNKuSFhvWqr1OK8lpwXSBut
OfkwPU+zbyYX2z8h1lNaS6smZCRT7ys8m1SJ5BGzABBu8Zl9OtXwYKdRBKw10kgb
hrjK/+wlvlxwNxlHUK0R
=tuOh
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.