Severity

Medium

Vendor

Ubuntu, JasPer

Versions Affected

• Ubuntu 14.04 LTS

Description

Jacob Baines discovered that JasPer incorrectly handled ICC color profiles in JPEG-2000 image files. If a user were tricked into opening a specially crafted JPEG-2000 image file, a remote attacker could cause JasPer to crash or possibly execute arbitrary code with user privileges. (CVE-2016-1577)

Tyler Hicks discovered that JasPer incorrectly handled memory when processing JPEG-2000 image files. If a user were tricked into opening a specially crafted JPEG-2000 image file, a remote attacker could cause JasPer to consume memory, resulting in a denial of service. (CVE-2016-2116)

Affected Products and Versions

Severity is medium unless otherwise noted.

• All versions of Cloud Foundry rootfs prior to 1.41.0

Mitigation

Users of affected versions should apply the following mitigation:

• The Cloud Foundry project recommends that Cloud Foundry deployments run with rootfs version 1.41.0 and higher

Credit

Jacob Baines, Tyler Hicks

References

• http://www.ubuntu.com/usn/usn-2919-1/
• http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1577.html
• http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2116.html