Double Free in jasper (Alpine package)

1) Double Free

EUVDB-ID: #VU33529

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-5203

CWE-ID: CWE-415 - Double Free

Exploit availability: No

Description

The vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.

Double free vulnerability in the jasper_image_stop_load function in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file.

Mitigation

Install update from vendor's website.

Vulnerable software versions

jasper (Alpine package): 1.900.1-r9 - 1.900.1-r10

CPE2.3

• cpe:2.3:o:alpine:jasper_alpine_package:1.900.1-r10:*:*:*:*:alpine_linux:*:
• cpe:2.3:o:alpine:jasper_alpine_package:1.900.1-r9:*:*:*:*:alpine_linux:*:

External links

http://git.alpinelinux.org/aports/commit/?id=9d20dfb4b70c35a10a26afd2ddfb7f487ee2eeb9
http://git.alpinelinux.org/aports/commit/?id=5cb610fc7996f6d7ddcdffd54f62c2adc184be7a
http://git.alpinelinux.org/aports/commit/?id=244e4d797e740c7fedf8e3e9df9d9d85859b11b4
http://git.alpinelinux.org/aports/commit/?id=6ed682fc456c44bcc9388dc0363d4102eb525974
http://git.alpinelinux.org/aports/commit/?id=876243c7f957d20029e50f3822f4b38c87c31c8e
http://git.alpinelinux.org/aports/commit/?id=fccc4781d1d7e717df10168e8a7d01c2290a5ae3
http://git.alpinelinux.org/aports/commit/?id=17601c4c50bab87d35d2b0587dc206ec61af122e
http://git.alpinelinux.org/aports/commit/?id=2b2d458b50da34ebb2659bbdcaecac89f7945dd6

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.