QID 671088

Jasper is an implementation of part 1 of the jpeg 2000 image compression standard.
Security fix(es): the jp2_colr_destroy function in libjasper/jp2/jp2_cod.c in jasper before 1.900.10 allows remote attackers to cause a denial of service (null pointer dereference).(cve-2016-8887) the jp2_cdef_destroy function in jp2_cod.c in jasper before 2.0.13 allows remote attackers to cause a denial of service (null pointer dereference) via a crafted image.(cve-2017-6850) the jp2_colr_destroy function in jp2_cod.c in jasper before 1.900.13 allows remote attackers to cause a denial of service (null pointer dereference) by leveraging incorrect cleanup of jp2 box data on error.
Note: this vulnerability exists because of an incomplete fix for cve-2016-8887.(cve-2016-10250) heap-based buffer overflow in the jpc_dec_decodepkt function in jpc_t2dec.c in jasper 2.0.10 allows remote attackers to have unspecified impact via a crafted image.(cve-2017-6852) race condition in the jas_stream_tmpfile function in libjasper/base/jas_stream.c in jasper 1.900.1 allows local users to cause a denial of service (program exit) by creating the appropriate tmp.
Xxxxxxxxxx temporary file, which causes jasper to exit.
Note: this was originally reported as a symlink issue, but this was incorrect.
Note: some vendors dispute the severity of this issue, but it satisfies cve's requirements for inclusion.(cve-2008-3521)

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

An arbitrary attacker may exploit this vulnerability to compromise the system.