CVE-2008-3522

Name	CVE-2008-3522
Description	Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-2080-1
Debian Bugs	501021, 559778, 561717

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ghostscript (PTS)	bullseye	9.53.3~dfsg-7+deb11u7	fixed
	bullseye (security)	9.53.3~dfsg-7+deb11u10	fixed
	bookworm	10.0.0~dfsg-11+deb12u6	fixed
	bookworm (security)	10.0.0~dfsg-11+deb12u7	fixed
	trixie, sid	10.05.0~dfsg-1	fixed
netpbm-free (PTS)	bullseye	2:10.0-15.4	fixed
	bookworm	2:11.01.00-2	fixed
	trixie	2:11.09.03-1	fixed
	sid	2:11.10.02-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
ghostscript	source	lenny	8.62.dfsg.1-3.2lenny4		DSA-2080-1
ghostscript	source	(unstable)	8.64~dfsg-2	medium		559778
gs-gpl	source	(unstable)	(unfixed)	medium		561717
jasper	source	(unstable)	1.900.1-5.1	medium		501021
netpbm-free	source	(unstable)	(not affected)

- netpbm-free <not-affected> (dynamically links to ghostscript if available)