From $URL: Description: ============ jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard. A crafted image, maybe posted in the past as testcase for another bug, causes in the 1.900.18 version a use-after-free. No fuzzers involved at this time. Affected version: ================= 1.900.18 Fixed version: ============== 1.900.22 Commit fix: =========== https://github.com/mdadams/jasper/commi/634ce8e8a5accc0fa05dd2c20d42b4749d4b2735 Credit: ======= This bug was discovered by Agostino Sarubbo of Gentoo. CVE: ==== CVE-2016-9262 Reproducer: =========== https://github.com/asarubbo/poc/blob/master/00028-jasper-uaf-jas_realloc Timeline: ========= 2016-11-02: bug discovered and reported to upstream 2016-11-06: upstream released a patch and 1.900.22 2016-11-07: blog post about the issue 2016-11-10: CVE assigned
@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
hello Thomas. I didn't file the bugs here because for now, jasper is in continue update because of security bugs. There are dozens of bugs still open. I'd like to stabilize a version which at least covers something else, to avoid arches to stabilize more versions in few days.
The first upstream version that contains the fix for this bug is 1.900.22 The first fixed version in tree was 1.900.26 So it will be fixed in the next stabilization of jasper. I'm adding stable blocked because there are some things that seems to not work in the latest jasper regards multilib and gold/bfd
Version 2.0.12 in tree. Old removed Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request.
This issue was resolved and addressed in GLSA 201707-07 at https://security.gentoo.org/glsa/201707-07 by GLSA coordinator Thomas Deutschmann (whissi).
