From ${URL} : A new use-after-free was found in Jasper JPEG-200. The use-after-free appears in the function mif_process_cmpt of the src/libjasper/mif/mif_cod.c file. Both tvp and tvp->buf are freed by jas_tvparser_destroy(tvp) (line 572), but if one of the two following branch conditions is taken (line 573/576), a second call to jas_tvparser_destroy(tvp) occurs (line 586). It is a use-after-free because before calling free in jas_tvparser_destroy there is a check to tvp->buf, while tvp could have been freed. Two double free take place just after this check (on tvp->buf and tvp). A simple fix should be to move the first call of jas_tvparser_destroy after the two branch conditions (or set tvp to NULL after it has been freed in mif_process_cmpt). @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This is fixed in the latest jasper-1.900.6 We will stabilize it.
Bug rating for this package has been B. Severity adjusted. GLSA Vote: No