Summary: | <media-libs/jasper-1.900.1-r8: input sanitization errors (CVE-2014-{8137,8138}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | sci |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/12/18/11 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-12-28 09:27:22 UTC
+*jasper-1.900.1-r8 (04 Jan 2015) + + 04 Jan 2015; Justin Lecher <jlec@gentoo.org> +jasper-1.900.1-r8.ebuild, + +files/jasper-CVE-2014-8137.patch, +files/jasper-CVE-2014-8138.patch: + Import fixes for CVE-2014-8137/8 from fedora, #533744 + @arches, please stabilize. CVE-2014-8138 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8138): Heap-based buffer overflow in the jp2_decode function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 file. CVE-2014-8137 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8137): Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file. (In reply to Justin Lecher from comment #2) > @arches, please stabilize. You're supposed to say what is to be stabilised. (In reply to Jeroen Roovers from comment #4) > (In reply to Justin Lecher from comment #2) > > @arches, please stabilize. > > You're supposed to say what is to be stabilised. How about media-libs/jasper-1.900.1-r8 ? amd64 stable x86 stable Stable for HPPA. >
> How about media-libs/jasper-1.900.1-r8 ?
Something like this:
Arches, please test and mark stable:
=media-libs/jasper-1.900.1-r8
Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"
Thank you!
ppc stable Stable on alpha. arm stable sparc stable ppc64 stable ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. + 16 Jan 2015; Justin Lecher <jlec@gentoo.org> -jasper-1.900.1-r7.ebuild: + Cleanup vulnerable versions for CVE-2014-{8137,8138}, #533744 + Thanks everyone. GLSA draft needs another review. This issue was resolved and addressed in GLSA 201503-01 at http://security.gentoo.org/glsa/glsa-201503-01.xml by GLSA coordinator Mikle Kolyada (Zlogene). |