CVE-2016-9560 Redhat CVE debrief

Who should care

Security teams, Linux distribution maintainers, and application owners that use JasPer or downstream packages to process JPEG 2000 images, especially where untrusted files can reach decoding workflows.

Technical summary

The vulnerable component is jpc_tsfb_getbands2 in jpc_tsfb.c. NVD classifies the weakness as CWE-787 (out-of-bounds write) and lists JasPer versions before 1.900.30 as affected. The corpus also includes downstream advisories for Debian and Red Hat, indicating packaged products were patched as part of vendor errata.

Defensive priority

High. This is a memory-corruption flaw in a commonly embedded image library, with high CVSS impact and multiple vendor advisories. Prioritize if JasPer is present in services that decode user-supplied images or in supported distro packages.

Recommended defensive actions

• Confirm whether JasPer is installed directly or bundled through a downstream package.
• Upgrade JasPer to 1.900.30 or apply the vendor-provided fixed package from your distribution advisory.
• Review the status of affected downstream packages referenced by Debian DSA-3785 and Red Hat RHSA-2017:1208.
• Restrict or monitor workflows that process untrusted JPEG 2000 images until patching is complete.
• Validate that image-processing services are using the patched library version after remediation.

Evidence notes

The supplied corpus identifies the flaw as a stack-based buffer overflow in jpc_tsfb_getbands2, with JasPer before 1.900.30 marked vulnerable. NVD assigns CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and CWE-787. The reference set includes Debian and Red Hat advisories, an OSS-security patch discussion, and a JasPer commit, supporting both upstream and downstream remediation. The record should be interpreted using the published CVE date of 2017-02-15; later metadata modifications do not change the original issue date.

Official resources