CVE-2011-4517

Published: Dec 15, 2011Modified: Apr 29, 2026

6.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability: 8.6 / Impact: 6.4

Source: NVD

Description

The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1 uses an incorrect data type during a certain size calculation, which allows remote attackers to trigger a heap-based buffer overflow and execute arbitrary code, or cause a denial of service (heap memory corruption), via a crafted component registration (CRG) marker segment in a JPEG2000 file.

Affected (15)

Products: Jasper Project: Jasper · Canonical: Ubuntu Linux · Debian: Debian Linux · +4 more

Show all products

Jasper Project: Jasper · Canonical: Ubuntu Linux · Debian: Debian Linux · Fedoraproject: Fedora · Oracle: Outside In Technology · Suse: Linux Enterprise Desktop, Linux Enterprise Server, Linux Enterprise Software Development Kit · Redhat: Enterprise Linux Desktop

1 product

1 product

1 product

1 product

1 product

Outside In Technology

Suse

3 products

Linux Enterprise Desktop

Linux Enterprise Server

Linux Enterprise Software Development Kit

Redhat

1 product

Enterprise Linux Desktop

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jasper Project Jasper	Version 1.900.1

Configuration B

13 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 10.04
Canonical Ubuntu Linux	Version 10.10
Canonical Ubuntu Linux	Version 11.04
Canonical Ubuntu Linux	Version 11.10
Debian Debian Linux	Version 6.0
Fedoraproject Fedora	Version 15
Fedoraproject Fedora	Version 16
Oracle Outside In Technology	Version 8.3.5
Oracle Outside In Technology	Version 8.3.7
Suse Linux Enterprise Desktop	Version 11 sp1
Suse Linux Enterprise Server	Version 11 sp1
Suse Linux Enterprise Server	Version 11 sp1
Suse Linux Enterprise Software Development Kit	Version 11 sp1

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 4

Related CWEs

CWE-787

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (38)

http://lists.fedoraproject.org/pipermail/package-announce/2011-December/071458.html

Source: cret@cert.org

Mailing ListThird Party Advisory

http://lists.fedoraproject.org/pipermail/package-announce/2012-January/071561.html

Source: cret@cert.org

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2011-12/msg00010.html

Source: cret@cert.org

Mailing ListThird Party Advisory

http://osvdb.org/77596

Source: cret@cert.org

Broken Link

http://rhn.redhat.com/errata/RHSA-2015-0698.html

Source: cret@cert.org

Third Party Advisory

http://secunia.com/advisories/47193

Source: cret@cert.org

Not Applicable

http://secunia.com/advisories/47306

Source: cret@cert.org

Not Applicable

http://secunia.com/advisories/47353

Source: cret@cert.org

Not Applicable

http://www-01.ibm.com/support/docview.wss?uid=swg21660640

Source: cret@cert.org

Broken Link

http://www.debian.org/security/2011/dsa-2371

Source: cret@cert.org

Third Party Advisory

http://www.kb.cert.org/vuls/id/887409

Source: cret@cert.org

Third Party AdvisoryUS Government Resource

http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html

Source: cret@cert.org

Third Party Advisory

http://www.redhat.com/support/errata/RHSA-2011-1807.html

Source: cret@cert.org

Third Party Advisory

http://www.redhat.com/support/errata/RHSA-2011-1811.html

Source: cret@cert.org

Third Party Advisory

http://www.securityfocus.com/bid/50992

Source: cret@cert.org

Broken LinkVDB Entry

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.538606

Source: cret@cert.org

Release Notes

http://www.ubuntu.com/usn/USN-1315-1

Source: cret@cert.org

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=747726

Source: cret@cert.org

Issue Tracking

https://exchange.xforce.ibmcloud.com/vulnerabilities/71701

Source: cret@cert.org

Third Party AdvisoryVDB Entry

http://lists.fedoraproject.org/pipermail/package-announce/2011-December/071458.html