[Bug 240397] New: CVE-2007-2721: jasper DoS, heap corruption
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240397
Summary: CVE-2007-2721: jasper DoS, heap corruption
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: medium
Component: jasper
AssignedTo: rdieter(a)math.unl.edu
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2721
"The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000
library (libjasper) before 1.900 allows remote user-assisted attackers to cause
a denial of service (crash) and possibly corrupt the heap via malformed image
files, as originally demonstrated using imagemagick convert."
Appears to affect 1.900.1 too.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
15 years, 3 months
Re: Need Information Rergading US CERT VU#800113
by Josh Bressers
On 9 July 2008, Anne-Marie wrote:
> That's wonderful! Thank you Josh. I understand only releases prior
> to Fedora 8 will need to be patched. Is this correct?
>
> Thank you again for your help,
>
No, all versions of bind need to be patched, as bind will get a random UDP
port from the kernel, but reuse it for subsequent queries.
--
JB
15 years, 5 months