CVE-2017-5502 Jasper Project CVE debrief

Who should care

Organizations that use JasPer 1.900.17 to parse JP2/JPEG 2000 images should care, especially if the library is embedded in services or desktop applications that process untrusted image files.

Technical summary

The NVD record identifies the affected component as libjasper/jp2/jp2_dec.c in JasPer 1.900.17 and describes a crash caused by shifting a negative value left. The published CVSS vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, which makes the issue availability-focused and medium severity. NVD does not assign a more specific CWE beyond NVD-CWE-noinfo.

Defensive priority

Medium priority. Treat as higher priority if JasPer is present in software that routinely handles untrusted JP2/JPEG 2000 content or if a crash would materially affect service availability.

Recommended defensive actions

• Inventory where JasPer 1.900.17 is installed or embedded, including applications that process JP2/JPEG 2000 files.
• Apply the vendor or downstream package update that addresses CVE-2017-5502, or replace the affected library version where practical.
• Reduce exposure to untrusted image input by limiting who can supply files, sandboxing image parsing, or disabling JP2/JPEG 2000 support if it is not needed.
• Monitor for parser crashes or abnormal termination in systems that use JasPer, and validate that packaged dependencies are updated across all deployed environments.

Evidence notes

The CVE description and NVD record both point to JasPer 1.900.17 and the libjasper/jp2/jp2_dec.c code path. The source corpus also links a Gentoo advisory describing multiple crashes with UBSan, but no exploit code is included here. Note that the NVD narrative says remote attackers can cause a crash, while the published CVSS vector indicates local access and user interaction requirements.

Official resources