CVE-2017-5504 Jasper Project CVE debrief

Who should care

Organizations that use JasPer to parse untrusted image content should care most, especially image-processing pipelines, document handlers, desktop applications, and services that accept uploaded files.

Technical summary

The NVD record identifies CWE-125 (Out-of-bounds Read) and assigns CVSS v3.0 vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The corpus describes the issue as reachable via a crafted image and resulting in an invalid memory read and crash in jpc_undo_roi. References in the record include downstream distro advisories and a Gentoo blog post marked as an Exploit/Third Party Advisory.

Defensive priority

Medium. Prioritize if JasPer is exposed to untrusted images or embedded in a high-availability workflow, because a crash can become a service-impacting availability issue.

Recommended defensive actions

• Identify where JasPer is deployed and whether it processes user-supplied or externally sourced images.
• Apply the vendor or distribution updates referenced in the linked advisories for affected packages.
• If patching is delayed, reduce exposure by limiting untrusted image ingestion and isolating image parsing in a restricted process or container.
• Monitor for repeated parser crashes or invalid-memory-read symptoms in application and system logs.
• Retest any image-processing components after updating to confirm the crash condition is no longer reproducible through normal validation paths.

Evidence notes

Source corpus evidence ties this CVE to an invalid memory read in jpc_undo_roi within libjasper/jpc/jpc_dec.c, with a crafted image causing a crash. The NVD metadata lists CWE-125 and CVSS v3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The reference set includes openSUSE notices, a SecurityFocus BID, a Gentoo blog advisory, and a Gentoo GLSA. The corpus also contains a version discrepancy: the CVE description mentions JasPer 1.900.27, while the NVD CPE criteria lists JasPer 1.900.17.

Official resources