Gentoo Bug 196860 - app-text/ghostscript-gnu /gpl Jasper heap corruption (CVE-2007-2721)

Description:

Opened: 2007-10-24 00:45 0000

CVE-2007-2721 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2721):
  The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000
  library (libjasper) before 1.900 allows remote user-assisted attackers to
  cause a denial of service (crash) and possibly corrupt the heap via malformed
  image files, as originally demonstrated using imagemagick convert.

------- Comment #1 From Robert Buchholz 2007-10-24 00:53:48 0000 -------

Both app-text/ghostscript-gpl and app-text/ghostscript-gnu contain code copies
of media-libs/jasper.

CVE-2007-2721 as fixed in bug 179159 might still affect these packages. For
ghostscript-gpl I could confirm that the Jasper code is compiled. I did not
check every available ebuild, only the latest stables.

Ghostscript accepted the jasper patch upstream:
http://cvs.ghostscript.com/cgi-bin/viewcvs.cgi/ghostscript?rev=8298&view=rev

See URL for further reference.

------- Comment #2 From Robert Buchholz 2007-11-01 18:57:13 0000 -------

*** Bug 197802 has been marked as a duplicate of this bug. ***

------- Comment #3 From Timo Gurr 2007-11-02 20:48:25 0000 -------

ghostscript-gpl revisions which apply the patch are now in the tree as:

ghostscript-gpl-8.60-r1
ghostscript-gpl-8.57-r1
ghostscript-gpl-8.54-r1

------- Comment #4 From Robert Buchholz 2007-11-03 12:07:13 0000 -------

Thanks. Timo, what about app-text/ghostscript-gnu?

Arches, please test and mark stable app-text/ghostscript-gpl-8.60-r1.
Target keywords : "amd64 arm hppa ppc sh sparc x86"

------- Comment #5 From Ferris McCormick 2007-11-03 14:15:34 0000 -------

Sparc stable for ghostscript-gpl-8.60-r1.

------- Comment #6 From Markus Meier 2007-11-04 15:49:10 0000 -------

x86 stable

------- Comment #7 From Jeroen Roovers 2007-11-05 11:18:18 0000 -------

Stable for HPPA.

------- Comment #8 From Tobias Scherbaum 2007-11-05 18:35:50 0000 -------

ppc stable

------- Comment #9 From Chris Gianelloni (RETIRED) 2007-11-06 20:39:39 0000 -------

Ehh... I've gone and done app-text/ghostscript-gpl on amd64.  Are we supposed
to be doing anything with app-text/ghostscript-gnu?  If so, add us back to this
bug.

------- Comment #10 From Robert Buchholz 2007-11-06 21:44:59 0000 -------

(In reply to comment #9)
> Are we supposed to be doing anything with app-text/ghostscript-gnu?

Not until printing has an ebuild ready.

------- Comment #11 From Robert Buchholz 2007-11-12 02:42:04 0000 -------

Timo, printing, any word on -gnu?

------- Comment #12 From Timo Gurr 2007-11-13 23:38:31 0000 -------

(In reply to comment #11)
> Timo, printing, any word on -gnu?

Sorry for the delay. ghostscript-gnu revision which applies the patch is now in
the tree as:

ghostscript-gnu-8.60.0-r1

------- Comment #13 From Robert Buchholz 2007-11-13 23:53:54 0000 -------

Arches, please test and mark stable app-text/ghostscript-gnu-8.60.0-r1.
Target keywords : "ppc64"


(In reply to comment #9)
> Ehh... I've gone and done app-text/ghostscript-gpl on amd64.  Are we supposed
> to be doing anything with app-text/ghostscript-gnu?  If so, add us back to this
> bug.

Seems it was never stable on amd64, so nothing to do.

------- Comment #14 From Markus Rothe 2007-11-14 06:23:48 0000 -------

ppc64 done

------- Comment #15 From Robert Buchholz 2007-11-14 17:45:54 0000 -------

GLSA vote now open.

From the description of the bug I'd vote yes, but bug 179159 went [noglsa].

------- Comment #16 From Pierre-Yves Rofes 2007-11-20 22:10:42 0000 -------

voting no since previous went noglsa.

------- Comment #17 From Robert Buchholz 2007-12-02 12:34:24 0000 -------

Voting NO and closing.

Bug 196860 depends on:			Show dependency tree
Bug 196860 blocks:			Show dependency tree

Bugzilla Bug 196860

app-text/ghostscript-gnu /gpl Jasper heap corruption (CVE-2007-2721)

Last modified: 2008-01-10 09:02:26 0000