CVE-2017-5499 Jasper Project CVE debrief

Who should care

Administrators, maintainers, and developers who use JasPer 1.900.17 or ship libjasper-based image parsing in products that may process untrusted files.

Technical summary

The vulnerable component is libjasper/jpc/jpc_dec.c in JasPer 1.900.17. NVD identifies the flaw as an integer overflow (CWE-190) and associates it with denial of service via application crash when a crafted file is parsed. The NVD CVSS vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, which indicates high availability impact but requires user interaction; this differs from the prose description that mentions remote attackers.

Defensive priority

MEDIUM

Recommended defensive actions

• Inventory systems that include JasPer 1.900.17 or bundled libjasper components.
• Upgrade to a vendor-fixed JasPer release where available.
• Restrict or sandbox processing of untrusted files until patched.
• Monitor for parser crashes or repeated failures in applications that handle Jasper content.
• If the vulnerable component is embedded in a third-party product, track the vendor's remediation guidance and update that product as well.

Evidence notes

Primary evidence comes from the NVD record and CVE record for CVE-2017-5499, which identify JasPer 1.900.17, libjasper/jpc/jpc_dec.c, CWE-190, and CVSS 3.0 5.5. The source reference set also includes a Gentoo advisory about multiple crashes and two openSUSE security announcements. Note that the narrative description says 'remote attackers,' while the CVSS vector indicates a local, user-interaction-required attack path; this discrepancy is visible in the supplied source corpus.

Official resources