CVE-2017-14229 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14229): There is an infinite loop in the jpc_dec_tileinit function in jpc/jpc_dec.c of Jasper 2.0.13. It will lead to a remote denial of service attack. CVE-2017-14132 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14132): JasPer 2.0.13 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted image, related to the jas_image_ishomosamp function in libjasper/base/jas_image.c. CVE-2017-1000050 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000050): JasPer 2.0.12 is vulnerable to a NULL pointer exception in the function jp2_encode which failed to check to see if the image contained at least one component resulting in a denial-of-service.
@Maintainers JasPer 2.0.14 is available, please call for stabilization when ready. Thank you
Sci Team Please confirm if this is included in 2.0.14 that is currently stable so we can close the bug
Never Mind answering myself for version 2.0.14 currently stable CVE-2017-14229 - NOT Fixed - https://github.com/mdadams/jasper/issues/146 CVE-2017-14132 - Not fixed - https://github.com/mdadams/jasper/issues/147 CVE-2017-1000050 - Fixed - Version 2.0.13 - https://github.com/mdadams/jasper/issues/120
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c70fe723dcfe0fabab75f3a76942207018e83e1f commit c70fe723dcfe0fabab75f3a76942207018e83e1f Author: David Seifert <soap@gentoo.org> AuthorDate: 2019-07-14 10:29:20 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2019-07-14 10:29:20 +0000 package.mask: Last rite media-libs/jasper Bug: https://bugs.gentoo.org/601068 Bug: https://bugs.gentoo.org/614028 Bug: https://bugs.gentoo.org/614032 Bug: https://bugs.gentoo.org/614566 Bug: https://bugs.gentoo.org/619120 Bug: https://bugs.gentoo.org/624988 Bug: https://bugs.gentoo.org/629286 Bug: https://bugs.gentoo.org/635552 Bug: https://bugs.gentoo.org/662160 Bug: https://bugs.gentoo.org/674154 Bug: https://bugs.gentoo.org/674214 Bug: https://bugs.gentoo.org/684826 Bug: https://bugs.gentoo.org/689784 Signed-off-by: David Seifert <soap@gentoo.org> profiles/base/package.use.mask | 23 +++++++++++++++++++++++ profiles/package.mask | 7 +++++++ 2 files changed, 30 insertions(+)
This issue was resolved and addressed in GLSA 201908-03 at https://security.gentoo.org/glsa/201908-03 by GLSA coordinator Aaron Bauman (b-man).
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77aebdf0b31765b33831ca5b02ea3d98f13c46cd commit 77aebdf0b31765b33831ca5b02ea3d98f13c46cd Author: David Seifert <soap@gentoo.org> AuthorDate: 2019-08-27 09:07:01 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2019-08-27 09:07:01 +0000 media-libs/jasper: Remove from tree Bug: https://bugs.gentoo.org/674214 Closes: https://bugs.gentoo.org/601068 Closes: https://bugs.gentoo.org/614028 Closes: https://bugs.gentoo.org/614032 Closes: https://bugs.gentoo.org/614566 Closes: https://bugs.gentoo.org/619120 Closes: https://bugs.gentoo.org/624988 Closes: https://bugs.gentoo.org/629286 Closes: https://bugs.gentoo.org/635552 Closes: https://bugs.gentoo.org/662160 Closes: https://bugs.gentoo.org/674154 Closes: https://bugs.gentoo.org/684826 Closes: https://bugs.gentoo.org/689784 Package-Manager: Portage-2.3.72, Repoman-2.3.17 Signed-off-by: David Seifert <soap@gentoo.org> media-libs/jasper/Manifest | 2 - .../files/jasper-2.0.14-fix-test-suite.patch | 28 --------- media-libs/jasper/jasper-2.0.14.ebuild | 67 ---------------------- media-libs/jasper/jasper-2.0.16.ebuild | 65 --------------------- media-libs/jasper/jasper-9999.ebuild | 65 --------------------- media-libs/jasper/metadata.xml | 11 ---- 6 files changed, 238 deletions(-)
Removing CVE alias CVE-2017-14232 which was accidentally added instead of CVE-2017-14132.
