CVE-2016-8692 Debian CVE debrief

Who should care

Teams that ship or operate JasPer/libjasper, especially environments listed by NVD as affected (Debian 8.0 and Fedora 25), and anyone allowing imginfo to process untrusted image files.

Technical summary

NVD describes a divide-by-zero condition in libjasper/jpc/jpc_dec.c, specifically in jpc_dec_process_siz, when processing a crafted BMP image with a problematic YRsiz value. The result is an application crash rather than code execution or data corruption. NVD assigns CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating user interaction is required and the primary impact is availability.

Defensive priority

Medium. The issue is a crash-only denial of service, but it affects image parsing of untrusted content and is easy to miss in automated workflows.

Recommended defensive actions

• Upgrade JasPer to version 1.900.4 or later, or apply the vendor-packaged fix for your distribution.
• Review Debian and Red Hat/Fedora security advisories for the specific package build you deploy and confirm patched versions are installed.
• Restrict where untrusted BMP or other external image files can be processed, and run image-handling jobs with least privilege and process isolation.
• Monitor for crashes or abnormal termination in imginfo or other JasPer-based tooling, especially when handling externally supplied files.

Evidence notes

The NVD record states that jpc_dec_process_siz in libjasper/jpc/jpc_dec.c can crash on a crafted BMP image via a divide-by-zero tied to YRsiz, with CWE-369 and CVSS 3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. NVD lists JasPer versions through 1.900.3 as vulnerable and includes Debian 8.0 and Fedora 25 CPEs. Public disclosure and follow-on remediation references include oss-security posts from 2016-08-23 and 2016-10-16, Gentoo’s advisory/blog, Debian DSA-3785, Red Hat RHSA-2017:1208, Red Hat bug 1385502, and the upstream patch reference in the supplied corpus.

Official resources