CVE-2016-8884
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2016-8884
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-8884.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2016-8884
- Downstream
- Related
- Published
- 2017-03-28T14:59:00Z
- Modified
- 2025-11-01T07:52:36.049759Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The bmpgetdata function in libjasper/bmp/bmpdec.c in JasPer 1.900.5 allows remote attackers to cause a denial of service (NULL pointer dereference) by calling the imginfo command with a crafted BMP image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8690.
- References
-
- http://www.openwall.com/lists/oss-security/2016/10/23/1
- http://www.openwall.com/lists/oss-security/2016/10/23/9
- http://www.securityfocus.com/bid/93834
- https://access.redhat.com/errata/RHSA-2017:1208
- https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690/
- https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698
- https://bugzilla.redhat.com/show_bug.cgi?id=1385499
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22FCKKHQCQ3S6TZY5G44EFDTMWOJXJRD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGI2FZQLOTSZI3VA4ECJERI74SMNQDL4/
Affected packages
Git / github.com/jasper-software/jasper
Affected ranges
- Type
- GIT
- Repo
- https://github.com/jasper-software/jasper
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
version-1.*
version-1.900.1
version-1.900.2
version-1.900.3
version-1.900.4
version-1.900.5
version-1.900.6
version-1.900.7
version-1.900.8
Database specific
vanir_signatures
[
{
"id": "CVE-2016-8884-0d0f6df7",
"signature_version": "v1",
"digest": {
"length": 908.0,
"function_hash": "336858158783137425965575654221703239953"
},
"target": {
"file": "src/libjasper/base/jas_seq.c",
"function": "jas_matrix_create"
},
"source": "https://github.com/jasper-software/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698",
"signature_type": "Function",
"deprecated": false
},
{
"id": "CVE-2016-8884-2eb70ae8",
"signature_version": "v1",
"digest": {
"line_hashes": [
"71303920133274689466226181545812425676",
"94596582825739538754825427942708852741",
"275471086909385279134964357376236752991"
],
"threshold": 0.9
},
"target": {
"file": "src/libjasper/base/jas_seq.c"
},
"source": "https://github.com/jasper-software/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698",
"signature_type": "Line",
"deprecated": false
},
{
"id": "CVE-2016-8884-533a9cc4",
"signature_version": "v1",
"digest": {
"line_hashes": [
"78973177877917695942638208592209958253",
"212725225705326190465004846873072948550",
"250005734814337826862306175523633005451",
"174480673136472974918934133963232957227",
"69116038732016939922742827558794222153",
"281603356252916559259227721928432709792",
"318085406603409284525238239676050625742",
"118641129552952768440473744706059090681",
"193134872678604225381121387858645529635",
"199937166387260850121312225868863801056",
"92917074845256795268883206691593715767",
"294250722161227081257470682113364523081",
"154405990111369122451450973806739399629",
"175823310022342425432986529838335762815",
"273588352002904665769437215781312199768",
"180998429040125013897728147395770693462",
"56129106083977619482143380465998234460",
"8910729891691865940539364005422125705",
"145789051040975065506187954076816442642",
"192531754977903976340703752365614522672",
"332060732998573184143787208617380997351",
"326333860853835892423194464156211935241",
"97889446831146911932369610927773762490",
"332771738261049717377917334250138429675",
"270755596045753749882424287217064795039",
"322167767617317903190671877369915527931",
"145368597730880639152782015473620825507",
"8707411845387877919543962288074286346",
"314267486699835461041297783376008589014",
"194015683644782531265877841290052538388",
"11658753891436937409727887195579584797",
"274737492504423320891825333031954427373",
"75735118697033336437928615902021781059",
"262540838841247533357222297613532373245",
"295399224259688873328353956616543512347",
"153920317662153056187463550696823321671",
"224643264404938019896581945255641848673",
"49043992406964911650469447437711109637",
"184874286120531686686562300845882839130",
"122625378795675173251758044186141788266",
"266156442886805910791505284316363702218",
"224611412856738176883450651058747496308",
"237852050891441876209241916330977536613",
"186569495922325289644266616094736437360",
"85941260168008482818339067493106036040"
],
"threshold": 0.9
},
"target": {
"file": "src/libjasper/bmp/bmp_dec.c"
},
"source": "https://github.com/jasper-software/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698",
"signature_type": "Line",
"deprecated": false
},
{
"id": "CVE-2016-8884-7bb45442",
"signature_version": "v1",
"digest": {
"length": 2420.0,
"function_hash": "127579757359071162609382256820357015217"
},
"target": {
"file": "src/libjasper/bmp/bmp_dec.c",
"function": "bmp_decode"
},
"source": "https://github.com/jasper-software/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698",
"signature_type": "Function",
"deprecated": false
}
]