Bugzilla Bug 179159

The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer
JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted
attackers to cause a denial of service (crash) and possibly corrupt
the heap via malformed image files, as originally demonstrated using
imagemagick convert.

sci please advise.

Hi guys,

Thanks for the heads-up!

I just had a look at bug #413041 in Debian's bugzilla and
what a mess!
In any case, I just pushed out jasper-1.900.1-r1 which 
has as the fix for the overflow in jpc/jpc_cs.c. This addresses
the problems with the testfiles broken2.jp2 and broken4.jp2
as posted in Debian's bugzilla. However, the other ones
(broken.jpc, ..) still cause segfaults on my x86 box and
are still unresolved in debian as well AFAIKT.

How should we proceed from here? 

Thanks,
Markus

My apologies, I didn't mean to close this one at all :(
I don't know what happened! Reopening.....

Markus

I guess you checked "Resolve bug" before comitting:)

Markus do you have any idea about a possible timeframe for the remaining fixes?

The issue doesn't seem too serious so I'd rather avoid calling arches twice if
it's not needed.

Unfortunately, I don't know jasper well at all so I don't really
have a time frame yet for when the rest will be fixed and by
whom. I'll keep an eye on debian's bugzilla for any progress.

I suspect that the best way to proceed would be to ping 
upstream, make them aware of the problems (not sure
if this has happened yet) and hope they will provide an
updated release that fixes these issues. I'll ping them later
and post back with any news.

Thanks,
Markus

Markus, any news? Otherwise I'll call arches.

Hi Sune,

Sorry for the delay! I just heard back from upstream 
and here's what they have to say

----------- SNIP ----------------
On Mon, 21 May 2007, Markus Dittrich wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Greetings and sorry to bug you with this.
> A few days a ago a security advisory
> was issued for libjasper
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2721  

I will add your email to my work queue for JasPer.
Since I do not have much time to work on JasPer
these days, it may take a while before I can
resolve the issues mentioned in your email.

--Michael

----------- SNIP -------------------------------------------------

Sounds to me as if the remaining issues won't get
resolved in the very near future. Nothing has happened
over at debian regarding the remaining issues either
AFAICT. Hence, maybe we should just go ahead and
push out what we have so far. What do you think?

Best,
Markus

Thx Micheal, lets get this stabled.

Arches please test and mark stable. Target keywords are:

jasper-1.900.1-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64
s390 sh sparc x86 ~x86-fbsd"

media-libs/jasper-1.900.1-r1  USE="jpeg opengl"

1. emerges on x86
2. passes test suite
3. passes collision test
4. works

Portage 2.1.2.7 (default-linux/x86/2006.1, gcc-4.1.2, glibc-2.5-r3,
2.6.17-gentoo-r8-panic i686)
=================================================================
System uname: 2.6.17-gentoo-r8-panic i686 Intel(R) Pentium(R) M processor
2.00GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Mon, 04 Jun 2007 08:00:01 +0000
ccache version 2.4 [disabled]
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O3 -march=pentium-m -msse2 -mmmx -msse -mfpmath=sse
-fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O3 -march=pentium-m -msse2 -mmmx -msse -mfpmath=sse
-fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox
sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="it_IT.UTF-8"
LC_ALL="C"
LINGUAS="it"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/webapps-experimental
/usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acpi adns alsa apache arts asf ati avi bash-completion beagle
berkdb bitmap-fonts browserplugin bzip2 cairo caps cdr cli cracklib crd crypt
cups curl daap dbus dga djvu dmi dri dts dvd dvdr dvi emacs evo exif fbcon
ffmpeg firefox flac foomatic fortran gdbm gif gimpprint glitz gnome gnutls gpm
gtk hal i810 iconv imagemagick intel ipod ipv6 isdnlog java jpeg kde libg++
libnotify libsexy lns mad midi mmap mmx mng mono mozilla moznocompose moznoirc
moznomail mozsvg mp3 mp4 mpeg mudflap musepack nautilus ncurses network njb nls
nptl nptlonly nsplugin numeric ogg ole opengl openmp openntpd oss pam pcre pdf
perl php png portaudio posix ppds pppd pwdb python qt qt3 radeon readline real
reflection samba sdl session sndfile spl sse sse2 ssl svg t1lib tcpd test
theora threads truetype-fonts type1-fonts unicode usb v4l vcd vorbis
win32codecs wma wmf wmv wxwindows x264 x86 xine xml2 xorg xvid zlib"
ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1
emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m
maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
mtxorb ncurses text" LINGUAS="it" USERLAND="GNU" VIDEO_CARDS="vesa i810 vga"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS,
PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

For me Stable in x86

The update breaks ABI thus it would be nice to have a big fat usual
"revdep-rebuild" warning sticked to it. It breaks digikam at least.

Markus please provide an updated elog warning.

Arches I guess you can just continue stable marking.

Stable for HPPA.

sparc stable and added the note myself.

(In reply to comment #13)
> sparc stable and added the note myself.
> 

Thanks much! Unfortunately, I wasn't aware of the ABI break.
I really wonder if I should ask the graphics folks if they
would be willing to take over this package since the sci herd 
doesn't quite seem like its proper home:)

Best,
Markus

ppc64 stable

ppc stable

x86 stable

alpha/ia64 stable

media-libs/jasper-1.900.1-r1 is stable on amd64

1) Emerges cleanly with USE="X jpeg jpeg2k mpeg perl png truetype xml zlib
-bzip2 -doc -fpx -graphviz -gs -jbig -lcms -nocxx -tiff -wmf"

2) No Collisions

3) Works

Portage 2.1.2.7 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.5-r3,
2.6.22-rc4-kamikaze x86_64)
=================================================================
System uname: 2.6.22-rc4-kamikaze x86_64 Intel(R) Core(TM)2 CPU          6600 
@ 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Thu, 07 Jun 2007 15:00:01 +0000
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=nocona -fomit-frame-pointer -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild
/etc/terminfo"
CXXFLAGS="-O2 -march=nocona -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict sandbox
sfperms strict test"
GENTOO_MIRRORS="http://gentoo.osuosl.org/
http://distro.ibiblio.org/pub/linux/distributions/gentoo/
http://www.gtlib.gatech.edu/pub/gentoo "
MAKEOPTS="-j3"
PKGDIR="/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X aac acl alsa amd64 berkdb bitmap-fonts cli cracklib crypt cups dbus dri
flac fortran gdbm gpm hal iconv ipv6 isdnlog jpeg kde kdeenablefinal libg++ mad
midi mmx mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp oss pam
pcre perl png pppd python qt4 readline reflection session spl sse sse2 ssl
symlink tcpd test truetype truetype-fonts type1-fonts unicode vorbis xml xorg
zlib" ALSA_CARDS="usb-audio hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy
dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear
meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc"
INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz
cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU"
VIDEO_CARDS="nvidia"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS,
PORTDIR_OVERLAY

sorry for the delay, amd64 stable, thanks Kenneth

I vote NO.

"possible?" just "crash"? Then i vote noglsa