Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <8a5a04a665204da0b2ed5ad2766b05b3@imshyb01.MITRE.ORG>
Date: Mon, 16 Jan 2017 19:06:47 -0500
From: <cve-assign@...re.org>
To: <ago@...too.org>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: jasper: multiple crashes with UBSAN

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/

> [] jasper-1.900.17/src/libjasper/include/jasper/jas_math.h:156:11
> runtime error: left shift of negative value -185

Use CVE-2017-5498.


> [] jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1838:9
> runtime error: signed integer overflow: -64356352 * 6359082673847140352 cannot
> be represented in type 'long'

Use CVE-2017-5499.


> [] jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1819:40
> runtime error: shift exponent 117 is too large for 64-bit type 'jpc_fix_t'
> (aka 'long')

Use CVE-2017-5500.


> [] jasper-1.900.17/src/libjasper/jpc/jpc_tsfb.c:233:35
> runtime error: signed integer overflow: 2013306369 + 251691968 cannot be
> represented in type 'int'

Use CVE-2017-5501.


> [] jasper-1.900.17/src/libjasper/jp2/jp2_dec.c:485:49
> runtime error: left shift of negative value -26

Use CVE-2017-5502.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYfV+HAAoJEHb/MwWLVhi29L0P/RqDlicXsi+o1z9ZFsl+bmfO
yChkhBebWjCWyRlvQjce8JlYxpwK1sRSD1j+7tkoSkRbkBwuDPswg07l7xx4/N74
B0MJpzC0XZe+7QmngkB5M29L8UY/qJ4E1WNu9ztMvbZCAimW9JR9Kbar3ptzIlD8
C0bMFhIRiPkhrnxqzSkQHLVUXVr5I3KC4RHh6qWkFa9TnEUyD52MAjYb4sSPjmMH
sqz9omf5+mt3g0gfjC/UMOwXx2j+s8EwQ9sslFhqKz+CCvj17zXlpXZt6yVpltBl
beZ6amDVoEQ4lSjoLoI5tfpCAD5DdgXQHDaNFcyCcgUd8uCqhbpPFngbWPnISgDY
tdify6oI9K5t1hnEkYjE2RLLexB6DoQ3l7xOv98lY5YN3isoxliA76AYS+74/sJ5
d2/bVoeybQ/T/0BFbNOKP1fEUjoVVv/XCR6+fJOu0ABQ10ELWBPqzNNzd6fcvLon
suXIQ7xwQfb3vRbwY8uERZugs9W04SxWe8FIHjmjskCSDgnPRgIGPki+yUvg1WwO
s9Xq9GCrdwsnFH0PwCHpAF/AHcuuFJBda0W9NzEKXHNKuSFhvWqr1OK8lpwXSBut
OfkwPU+zbyYX2z8h1lNaS6smZCRT7ys8m1SJ5BGzABBu8Zl9OtXwYKdRBKw10kgb
hrjK/+wlvlxwNxlHUK0R
=tuOh
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.