Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 734284 - media-libs/jasper - a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard
Summary: media-libs/jasper - a free software-based reference implementation of the cod...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Michael Vetter
URL: https://www.ece.uvic.ca/~frodo/jasper/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-28 11:04 UTC by Michael Vetter
Modified: 2024-01-11 16:01 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Vetter 2020-07-28 11:04:25 UTC
https://bugs.gentoo.org/689784 removed jasper from the tree as I proposed in https://github.com/jasper-software/jasper/issues/208#issue-463674791.

Now we were able to release 2.0.19 which fixes all known CVEs.

So I would suggest to add it back into the tree.
See https://github.com/jasper-software/jasper/issues/208#issuecomment-664945128 for details

Reproducible: Always
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2020-07-28 15:07:59 UTC
(In reply to Michael Vetter from comment #0)
> https://bugs.gentoo.org/689784 removed jasper from the tree as I proposed in
> https://github.com/jasper-software/jasper/issues/208#issue-463674791.
> 
> Now we were able to release 2.0.19 which fixes all known CVEs.
> 
> So I would suggest to add it back into the tree.
> See
> https://github.com/jasper-software/jasper/issues/208#issuecomment-664945128
> for details
> 
> Reproducible: Always

I didn't read the whole thread on GitHub, but how sustainable is this sudden surge of contributions to fix sec issues?

Would really hate to rinse and repeat this...
Comment 2 Michael Vetter 2020-07-28 19:02:37 UTC
> I didn't read the whole thread on GitHub, but how sustainable is this sudden surge of contributions to fix sec issues?

It's a long thread indeed.
The contributions are not sudden however. It was months of work until we got there.
A lot of fights too.

In between we forked the project, worked on it. And when we were ready to create a new release new discussions began.

In the end we could agree on things and 3 people have commit rights and maintain jasper together now. Before there was only one person.

So I would say chances are much better.

Also JasPer was not removed because it had one unfixed CVE but quite a few, for quite a long time. Now we fixed all of them (to my knowledge) and will try to improve some others things too.

I can't foretell the future but I hope it doesn't get so bad that we have to remove it again ;)
Comment 3 Michael Vetter 2023-02-10 09:22:51 UTC
Update:

> I didn't read the whole thread on GitHub, but how sustainable is this sudden surge of contributions to fix sec issues?

I opened this in 2020. Since then we keep JasPer alive and happy.
A couple of more CVEs appeared but we fixed all of them timely.

Issues and pull requests are handled good as well.
In Nov 2022 we released JasPer 4.0.0.

Which is to say that the situation improved a lot and after 3 years appears to be stable.

I would like to work on bringing it back to Gentoo.
So my plan is to:
* revert the 77aebdf0b31765b33831ca5b02ea3d98f13c46cd
* update ebuilds to 4.0.0

Once merged: re-introduce it to packages to bring back their JPEG-2000 support.

Would that be ok?
Comment 4 Michael Vetter 2023-02-10 09:23:24 UTC
> So my plan is to:

By this I mean that I would like to do it myself as a proxy maintainer. To get more practise :)
Comment 5 David Seifert gentoo-dev 2023-02-10 10:17:37 UTC
(In reply to Michael Vetter from comment #4)
> > So my plan is to:
> 
> By this I mean that I would like to do it myself as a proxy maintainer. To
> get more practise :)

Yes, readding jasper has definitely been on our TODO list.
Comment 6 Larry the Git Cow gentoo-dev 2023-04-12 13:09:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a76c8c2747a42f6d7e7df306f103c67febeb129

commit 6a76c8c2747a42f6d7e7df306f103c67febeb129
Author:     Michael Vetter <jubalh@iodoru.org>
AuthorDate: 2023-04-12 13:09:04 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2023-04-12 13:09:04 +0000

    media-libs/jasper: readd jasper library (4.0.0)
    
    Closes: https://github.com/gentoo/gentoo/pull/30553
    Bug: https://bugs.gentoo.org/734284
    Signed-off-by: Michael Vetter <jubalh@iodoru.org>
    Signed-off-by: David Seifert <soap@gentoo.org>

 media-libs/jasper/Manifest            |  1 +
 media-libs/jasper/jasper-4.0.0.ebuild | 56 +++++++++++++++++++++++++++++++++++
 media-libs/jasper/jasper-9999.ebuild  | 56 +++++++++++++++++++++++++++++++++++
 media-libs/jasper/metadata.xml        | 19 ++++++++++++
 4 files changed, 132 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d481e2ef9e32d83300cfc5bd8c6ce1204aa773ac

commit d481e2ef9e32d83300cfc5bd8c6ce1204aa773ac
Author:     Michael Vetter <jubalh@iodoru.org>
AuthorDate: 2023-04-12 13:09:03 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2023-04-12 13:09:03 +0000

    licenses: add JasPer2.0 license
    
    License used by JasPer JPEG-2000 library.
    
    Bug: https://bugs.gentoo.org/734284
    Signed-off-by: Michael Vetter <jubalh@iodoru.org>
    Signed-off-by: David Seifert <soap@gentoo.org>

 licenses/JasPer2.0      | 51 +++++++++++++++++++++++++++++++++++++++++++++++++
 profiles/license_groups |  2 +-
 2 files changed, 52 insertions(+), 1 deletion(-)
Comment 7 Holger Hoffstätte 2024-01-07 12:48:49 UTC
I think this can be closed, 4.0.0 is in the tree.
There's also an update to 4.1.1 with at least one security fix in 4.0.1 for the pnm decoder, so maybe a bump is in order.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-01-07 13:44:59 UTC
My assumption was we were keeping this open to restore support in various packages from the time of removal but let's close it.
Comment 9 Michael Vetter 2024-01-08 10:06:54 UTC
(In reply to Sam James from comment #8)
> My assumption was we were keeping this open to restore support in various
> packages from the time of removal but let's close it.

Indeed that was my intention.

> There's also an update to 4.1.1 with at least one security fix in 4.0.1 for
> the pnm decoder, so maybe a bump is in order.

Actually we will most likely release a new JasPer version soonish since we fixed another security issue recently.
However I created https://github.com/gentoo/gentoo/pull/34707 now. I hope it helps.
Comment 10 Michael Vetter 2024-01-11 16:01:43 UTC
(In reply to Michael Vetter from comment #9)
> (In reply to Sam James from comment #8)
> > My assumption was we were keeping this open to restore support in various
> > packages from the time of removal but let's close it.
> 
> Indeed that was my intention.
> 
> > There's also an update to 4.1.1 with at least one security fix in 4.0.1 for
> > the pnm decoder, so maybe a bump is in order.
> 
> Actually we will most likely release a new JasPer version soonish since we
> fixed another security issue recently.

As promised we released 4.1.2 with a CVE (shown as reserved as of now) fix now.
I created PR: https://github.com/gentoo/gentoo/pull/34761