PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-8691 Debian CVE debrief

CVE-2016-8691 affects JasPer before 1.900.4 and can crash the imginfo command when it processes a crafted BMP image with a malicious XRsiz value. The issue is a denial of service only: the supplied NVD record classifies the weakness as CWE-369 and the CVSS impact as availability loss, not code execution or data theft.

Vendor
Debian
Product
CVE-2016-8691
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-15
Original CVE updated
2026-05-13
Advisory published
2017-02-15
Advisory updated
2026-05-13

Who should care

Teams that deploy JasPer, package it into applications, or run image-processing workflows that handle untrusted files should care most. This includes operators of systems that invoke imginfo or similar parsing tools, and maintainers tracking distro packages referenced by the NVD record.

Technical summary

The vulnerable path is jpc_dec_process_siz in libjasper/jpc/jpc_dec.c. According to the supplied description, a crafted XRsiz value in a BMP image can trigger a divide-by-zero error and application crash. NVD maps the weakness to CWE-369 and gives CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating a user-interaction-dependent availability issue. The NVD CPE data in the corpus marks JasPer versions through 1.900.3 as vulnerable, with distro entries also listed for Debian 8.0 and Fedora 25.

Defensive priority

Medium. The issue is not an integrity or code-execution flaw, but it can still be disruptive wherever untrusted images are processed automatically or at scale.

Recommended defensive actions

  • Upgrade JasPer to 1.900.4 or a vendor-fixed package version that includes the upstream fix.
  • Apply the relevant distro security updates referenced in the corpus, such as Debian DSA-3785 or the corresponding Red Hat errata, where applicable to your platform.
  • Treat image parsing as untrusted input handling: isolate, sandbox, or minimize privileges for tools like imginfo.
  • Add input validation and file-type checks at ingestion points so malformed BMP or Jasper content is rejected before parsing.
  • Monitor for parser crashes and divide-by-zero failures in image-processing services to catch exposed deployments quickly.

Evidence notes

This debrief is based on the supplied NVD/CVE record, which describes a divide-by-zero crash in JasPer before 1.900.4 and cites CWE-369. The corpus also includes vendor and community references from Debian, Red Hat, Fedora, Gentoo, Bugzilla, and an upstream patch commit, all consistent with a denial-of-service fix for malformed image input. Timing context uses the CVE published date of 2017-02-15 and the NVD modified date of 2026-05-13.

Official resources

The CVE record was published on 2017-02-15 and later modified on 2026-05-13; the corpus also contains related advisories and mailing-list references from 2016. This debrief uses the CVE published date for disclosure timing.