Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 614012 (CVE-2016-9387)

Summary: <media-libs/jasper-2.0.12: multiple Assertion failure
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: sci
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure/
Whiteboard: B3 [noglsa cve]
Package list:
media-libs/jasper-2.0.12
Runtime testing required: No
Attachments:
Description Flags
jasper-2.0.12-abi_ppc_32.ppc/Testing/Temporary/LastTest.log on ppc
none
jasper-2.0.12-.arm/Testing/Temporary/LastTest.log on arm none

Description Agostino Sarubbo gentoo-dev 2017-03-27 09:11:40 UTC
THe lastest issues are not fixed in any releases.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-03-29 07:13:07 UTC
    CVE ID: CVE-2016-9387
   Summary: Integer overflow in the jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.13 allows remote attackers to have unspecified impact via a crafted file, which triggers an assertion failure.
 Published: 2017-03-23T18:59:00.000Z
Comment 2 David Seifert gentoo-dev 2017-03-29 19:54:14 UTC
@Sec, if you want to stabilise, go ahead.

commit 07191dc40ff2880718f3f4a737dd7ba9de303a5e
Author: David Seifert <soap@gentoo.org>
Date:   Wed Mar 29 21:50:31 2017 +0200

    media-libs/jasper: Version bump to 2.0.12
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-03-31 04:43:13 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 4 Agostino Sarubbo gentoo-dev 2017-04-02 17:27:20 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-04-03 12:33:51 UTC
x86 stable
Comment 6 Michael Weber (RETIRED) gentoo-dev 2017-04-03 21:00:47 UTC
ppc64 stable
ppc stable w/ testfailures simmilar to 1.900.6
Comment 7 Michael Weber (RETIRED) gentoo-dev 2017-04-03 21:07:19 UTC
Created attachment 469106 [details]
jasper-2.0.12-abi_ppc_32.ppc/Testing/Temporary/LastTest.log on ppc

ppc testfailure

Portage 2.3.3 (python 3.4.5-final-0, default/linux/powerpc/ppc32/13.0, gcc-4.9.4, glibc-2.23-r3, 4.9.6-gentoo-r1-hathor.0 ppc)
=================================================================
System uname: Linux-4.9.6-gentoo-r1-hathor.0-ppc-7450,_altivec_supported-with-gentoo-2.3
KiB Mem:      511992 total,    211160 free
KiB Swap:    2097148 total,   2086752 free
Timestamp of repository gentoo: Mon, 03 Apr 2017 17:45:01 +0000
sh bash 4.3_p48-r1
ld GNU ld (Gentoo 2.26.1 p1.0) 2.26.1
ccache version 3.2.4 [enabled]
app-shells/bash:          4.3_p48-r1::gentoo
dev-lang/perl:            5.22.3_rc4::gentoo
dev-lang/python:          2.7.12::gentoo, 3.4.5::gentoo
dev-util/ccache:          3.2.4::gentoo
dev-util/cmake:           3.7.2::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.3::gentoo
sys-apps/openrc:          0.23.2::gentoo
sys-apps/sandbox:         2.10-r3::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo
sys-devel/automake:       1.14.1::gentoo, 1.15::gentoo
sys-devel/binutils:       2.26.1::gentoo
sys-devel/gcc:            4.9.3::gentoo, 4.9.4::gentoo
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6-r3::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers)
sys-libs/glibc:           2.23-r3::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.us.gentoo.org/gentoo-portage/
    priority: -1000

ACCEPT_KEYWORDS="ppc"
ACCEPT_LICENSE="* -@EULA"
CBUILD="powerpc-unknown-linux-gnu"
CFLAGS="-O2 -mcpu=powerpc -mtune=powerpc -pipe"
CHOST="powerpc-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.6/ext-active/ /etc/php/apache2-php7.0/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cgi-php7.0/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/php/cli-php7.0/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -mcpu=powerpc -mtune=powerpc -pipe"
DISTDIR="/var/cache/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs ccache compress-build-logs config-protect-if-modified distlocks ebuild-locks fixlafiles keeptemp keepwork merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms split-log strict test test-fail-continue unknown-features-warn unmerge-backup unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
PKGDIR="/var/cache/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl berkdb bzip2 cli cracklib crypt cxx dri fortran gdbm iconv ipv6 modules ncurses nls nptl openmp pam pcre ppc readline seccomp session ssl tcpd unicode xattr zlib" ABI_PPC="32" ALSA_CARDS="aoa aoa-fabric-layout aoa-onyx aoa-soundbus aoa-soundbus-i2s aoa-tas aoa-toonie powermac usb-audio via82xx" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby21" USERLAND="GNU" VIDEO_CARDS="fbdev glint mach64 mga nv r128 radeon savage tdfx trident dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, MAKEOPTS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 8 Michael Weber (RETIRED) gentoo-dev 2017-04-03 21:18:06 UTC
Created attachment 469108 [details]
jasper-2.0.12-.arm/Testing/Temporary/LastTest.log on arm

arm stable w/ testfailure

emerge --info
Portage 2.3.3 (python 3.4.5-final-0, default/linux/arm/13.0/armv7a, gcc-4.9.4, glibc-2.23-r3, 4.0.0-rc6-00050-g631acab-dirty armv7l)
=================================================================
System uname: Linux-4.0.0-rc6-00050-g631acab-dirty-armv7l-ARMv7_Processor_rev_3_-v7l-with-gentoo-2.3
KiB Mem:     2061024 total,    772572 free
KiB Swap:    2097148 total,   2065392 free
Timestamp of repository gentoo: Mon, 03 Apr 2017 17:45:01 +0000
sh bash 4.3_p48-r1
ld GNU ld (Gentoo 2.26.1 p1.0) 2.26.1
ccache version 3.2.4 [enabled]
app-shells/bash:          4.3_p48-r1::gentoo
dev-lang/perl:            5.22.3_rc4::gentoo
dev-lang/python:          2.7.12::gentoo, 3.4.5::gentoo
dev-util/ccache:          3.2.4::gentoo
dev-util/cmake:           3.7.2::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.3::gentoo
sys-apps/openrc:          0.23.2::gentoo
sys-apps/sandbox:         2.10-r3::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo
sys-devel/automake:       1.11.6-r1::gentoo, 1.14.1::gentoo, 1.15::gentoo
sys-devel/binutils:       2.26.1::gentoo
sys-devel/gcc:            4.9.4::gentoo
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6-r3::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers)
sys-libs/glibc:           2.23-r3::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.us.gentoo.org/gentoo-portage/
    priority: -1000

xmw
    location: /var/lib/layman/xmw
    masters: gentoo
    priority: 50

ACCEPT_KEYWORDS="arm"
ACCEPT_LICENSE="* -@EULA"
CBUILD="armv7a-hardfloat-linux-gnueabi"
CFLAGS="-O2 -pipe -march=armv7-a -mfpu=vfpv3-d16 -mfloat-abi=hard"
CHOST="armv7a-hardfloat-linux-gnueabi"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.6/ext-active/ /etc/php/apache2-php7.0/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cgi-php7.0/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/php/cli-php7.0/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -march=armv7-a"
DISTDIR="/var/cache/distfiles"
FCFLAGS="-O2 -pipe -march=armv7-a"
FEATURES="assume-digests binpkg-logs ccache compress-build-logs config-protect-if-modified distlocks ebuild-locks fixlafiles keeptemp keepwork merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms split-log strict test test-fail-continue unknown-features-warn unmerge-backup unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe -march=armv7-a"
GENTOO_MIRRORS="http://lore.xmw.de/gentoo/"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/var/cache/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl arm armv5te armv6 armv6t2 berkdb bzip2 cli cracklib crypt cxx dri fortran gdbm iconv ipv6 modules ncurses nls nptl openmp pam pcre readline seccomp session ssl tcpd unicode xattr zlib" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_ARM="edsp thumb thumb2 v4 v5 v6 v7 vfp" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby21" USERLAND="GNU" VIDEO_CARDS="exynos fbdev omap dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2017-04-04 19:32:45 UTC
Stable on alpha.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2017-04-07 09:41:43 UTC
Stable for HPPA.
Comment 11 Agostino Sarubbo gentoo-dev 2017-04-27 11:25:41 UTC
sparc stable
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2017-04-27 20:36:36 UTC
ia64 is not a security supported arch please continue with stabilization of that.

Arches, Thank you for your work.
Maintainer(s), please drop the vulnerable version(s).

GLSA Vote: No
Comment 13 David Seifert gentoo-dev 2017-05-16 06:41:15 UTC
(In reply to Yury German from comment #12)
> ia64 is not a security supported arch please continue with stabilization of
> that.
> 
> Arches, Thank you for your work.
> Maintainer(s), please drop the vulnerable version(s).
> 
> GLSA Vote: No

Done.

commit 34021ba28f658439a6c09fd7ae78ebd9bd932ccb
Author: David Seifert <soap@gentoo.org>
Date:   Tue May 16 08:39:11 2017 +0200

    media-libs/jasper: Remove old
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2017-05-16 06:45:51 UTC
Maintainer(s), Thank you for your work.
Thank you all for you work. 
Closing as [noglsa].