{"id":"CVE-2016-8693","details":"Double free vulnerability in the mem_close function in jas_stream.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image to the imginfo command.","modified":"2026-04-11T05:01:01.573622Z","published":"2017-02-15T19:59:00.923Z","related":["MGASA-2017-0474","SUSE-SU-2016:2775-1","SUSE-SU-2016:2776-1","openSUSE-SU-2024:10281-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22FCKKHQCQ3S6TZY5G44EFDTMWOJXJRD/"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/08/23/6"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/10/16/14"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/93587"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:1208"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2016-11/msg00010.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3785"},{"type":"FIX","url":"https://github.com/mdadams/jasper/commit/44a524e367597af58d6265ae2014468b334d0309"},{"type":"FIX","url":"https://blogs.gentoo.org/ago/2016/10/16/jasper-double-free-in-mem_close-jas_stream-c/"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1385507"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jasper-software/jasper","events":[{"introduced":"0"},{"fixed":"44a524e367597af58d6265ae2014468b334d0309"}]},{"type":"GIT","repo":"https://github.com/mdadams/jasper","events":[{"introduced":"0"},{"last_affected":"e85c498d29cde9d5062e7aaae5a6bf018e80552d"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.900.5"}]}}],"versions":["version-1.900.1","version-1.900.2","version-1.900.3","version-1.900.4","version-1.900.5","version-1.900.6","version-1.900.7","version-1.900.8","version-1.900.9"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"13.2"}]},{"events":[{"introduced":"0"},{"last_affected":"23"}]}],"vanir_signatures_modified":"2026-04-11T05:01:01Z","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["319348426176898312395762141354413540855","212237252549174315940848886191493667447","83188621114365130340234383120782591168","261974774951400936541731396934200432721","313915629148189820745358666201995060165","332889218530253578131851361112756377674"]},"signature_version":"v1","target":{"file":"src/libjasper/base/jas_stream.c"},"signature_type":"Line","id":"CVE-2016-8693-06c10e52","source":"https://github.com/jasper-software/jasper/commit/44a524e367597af58d6265ae2014468b334d0309","deprecated":false},{"digest":{"length":295,"function_hash":"234442291615711478744387203658053122596"},"signature_version":"v1","target":{"function":"mem_resize","file":"src/libjasper/base/jas_stream.c"},"signature_type":"Function","id":"CVE-2016-8693-d2a394cf","source":"https://github.com/jasper-software/jasper/commit/44a524e367597af58d6265ae2014468b334d0309","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-8693.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}