File _patchinfo of Package patchinfo.40244

<patchinfo incident="40244">
  <issue tracker="bnc" id="1247904">VUL-0: CVE-2025-8835: jasper: NULL pointer dereference in function jas_image_chclrspc of file src/libjasper/base/jas_image.c of the component Image Color Space Conversion Handler</issue>
  <issue tracker="bnc" id="1247901">VUL-0: CVE-2025-8837: jasper: use-after-free in function jpc_dec_dump file src/libjasper/jpc/jpc_dec.c of the component JPEG2000 File Handler</issue>
  <issue tracker="bnc" id="1247902">VUL-0: CVE-2025-8836: jasper: assertion failure in the jpc_floorlog2 function can be triggered through the use of malformed codec options</issue>
  <issue tracker="cve" id="2025-8836"/>
  <issue tracker="cve" id="2025-8835"/>
  <issue tracker="cve" id="2025-8837"/>
  <packager>mvetter</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for jasper</summary>
  <description>This update for jasper fixes the following issues:

- CVE-2025-8835: missing range check in the JPEG-2000 (JPC) Encoder leads to assertion failure and crash when
  processing a malformed JPEG2000 image with an invalid `cblkwidth` parameter (bsc#1247904).
- CVE-2025-8836: out-of-bounds array indexing in function `jas_image_chclrspc` leads to crash when processing a
  malformed image file with BMP output format and color space conversion (bsc#1247902).
- CVE-2025-8837: missing operations in cleanup code of the JPEG-2000 (JPC) Encoder leads to use-after-free when
  processing malformed JPEG2000 images with certain debug levels enabled (bsc#1247901).
</description>
</patchinfo>