Summary: | <media-libs/jasper-2.0.12: multiple Assertion failure | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | minor | CC: | sci | ||||||
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure/ | ||||||||
Whiteboard: | B3 [noglsa cve] | ||||||||
Package list: |
media-libs/jasper-2.0.12
|
Runtime testing required: | No | ||||||
Attachments: |
|
Description
Agostino Sarubbo
2017-03-27 09:11:40 UTC
CVE ID: CVE-2016-9387 Summary: Integer overflow in the jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.13 allows remote attackers to have unspecified impact via a crafted file, which triggers an assertion failure. Published: 2017-03-23T18:59:00.000Z @Sec, if you want to stabilise, go ahead. commit 07191dc40ff2880718f3f4a737dd7ba9de303a5e Author: David Seifert <soap@gentoo.org> Date: Wed Mar 29 21:50:31 2017 +0200 media-libs/jasper: Version bump to 2.0.12 Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. amd64 stable x86 stable ppc64 stable ppc stable w/ testfailures simmilar to 1.900.6 Created attachment 469106 [details] jasper-2.0.12-abi_ppc_32.ppc/Testing/Temporary/LastTest.log on ppc ppc testfailure Portage 2.3.3 (python 3.4.5-final-0, default/linux/powerpc/ppc32/13.0, gcc-4.9.4, glibc-2.23-r3, 4.9.6-gentoo-r1-hathor.0 ppc) ================================================================= System uname: Linux-4.9.6-gentoo-r1-hathor.0-ppc-7450,_altivec_supported-with-gentoo-2.3 KiB Mem: 511992 total, 211160 free KiB Swap: 2097148 total, 2086752 free Timestamp of repository gentoo: Mon, 03 Apr 2017 17:45:01 +0000 sh bash 4.3_p48-r1 ld GNU ld (Gentoo 2.26.1 p1.0) 2.26.1 ccache version 3.2.4 [enabled] app-shells/bash: 4.3_p48-r1::gentoo dev-lang/perl: 5.22.3_rc4::gentoo dev-lang/python: 2.7.12::gentoo, 3.4.5::gentoo dev-util/ccache: 3.2.4::gentoo dev-util/cmake: 3.7.2::gentoo dev-util/pkgconfig: 0.28-r2::gentoo sys-apps/baselayout: 2.3::gentoo sys-apps/openrc: 0.23.2::gentoo sys-apps/sandbox: 2.10-r3::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69::gentoo sys-devel/automake: 1.14.1::gentoo, 1.15::gentoo sys-devel/binutils: 2.26.1::gentoo sys-devel/gcc: 4.9.3::gentoo, 4.9.4::gentoo sys-devel/gcc-config: 1.7.3::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1::gentoo sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers) sys-libs/glibc: 2.23-r3::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.us.gentoo.org/gentoo-portage/ priority: -1000 ACCEPT_KEYWORDS="ppc" ACCEPT_LICENSE="* -@EULA" CBUILD="powerpc-unknown-linux-gnu" CFLAGS="-O2 -mcpu=powerpc -mtune=powerpc -pipe" CHOST="powerpc-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.6/ext-active/ /etc/php/apache2-php7.0/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cgi-php7.0/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/php/cli-php7.0/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -mcpu=powerpc -mtune=powerpc -pipe" DISTDIR="/var/cache/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs ccache compress-build-logs config-protect-if-modified distlocks ebuild-locks fixlafiles keeptemp keepwork merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms split-log strict test test-fail-continue unknown-features-warn unmerge-backup unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" PKGDIR="/var/cache/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="acl berkdb bzip2 cli cracklib crypt cxx dri fortran gdbm iconv ipv6 modules ncurses nls nptl openmp pam pcre ppc readline seccomp session ssl tcpd unicode xattr zlib" ABI_PPC="32" ALSA_CARDS="aoa aoa-fabric-layout aoa-onyx aoa-soundbus aoa-soundbus-i2s aoa-tas aoa-toonie powermac usb-audio via82xx" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby21" USERLAND="GNU" VIDEO_CARDS="fbdev glint mach64 mga nv r128 radeon savage tdfx trident dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, MAKEOPTS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON Created attachment 469108 [details] jasper-2.0.12-.arm/Testing/Temporary/LastTest.log on arm arm stable w/ testfailure emerge --info Portage 2.3.3 (python 3.4.5-final-0, default/linux/arm/13.0/armv7a, gcc-4.9.4, glibc-2.23-r3, 4.0.0-rc6-00050-g631acab-dirty armv7l) ================================================================= System uname: Linux-4.0.0-rc6-00050-g631acab-dirty-armv7l-ARMv7_Processor_rev_3_-v7l-with-gentoo-2.3 KiB Mem: 2061024 total, 772572 free KiB Swap: 2097148 total, 2065392 free Timestamp of repository gentoo: Mon, 03 Apr 2017 17:45:01 +0000 sh bash 4.3_p48-r1 ld GNU ld (Gentoo 2.26.1 p1.0) 2.26.1 ccache version 3.2.4 [enabled] app-shells/bash: 4.3_p48-r1::gentoo dev-lang/perl: 5.22.3_rc4::gentoo dev-lang/python: 2.7.12::gentoo, 3.4.5::gentoo dev-util/ccache: 3.2.4::gentoo dev-util/cmake: 3.7.2::gentoo dev-util/pkgconfig: 0.28-r2::gentoo sys-apps/baselayout: 2.3::gentoo sys-apps/openrc: 0.23.2::gentoo sys-apps/sandbox: 2.10-r3::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69::gentoo sys-devel/automake: 1.11.6-r1::gentoo, 1.14.1::gentoo, 1.15::gentoo sys-devel/binutils: 2.26.1::gentoo sys-devel/gcc: 4.9.4::gentoo sys-devel/gcc-config: 1.7.3::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1::gentoo sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers) sys-libs/glibc: 2.23-r3::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.us.gentoo.org/gentoo-portage/ priority: -1000 xmw location: /var/lib/layman/xmw masters: gentoo priority: 50 ACCEPT_KEYWORDS="arm" ACCEPT_LICENSE="* -@EULA" CBUILD="armv7a-hardfloat-linux-gnueabi" CFLAGS="-O2 -pipe -march=armv7-a -mfpu=vfpv3-d16 -mfloat-abi=hard" CHOST="armv7a-hardfloat-linux-gnueabi" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.6/ext-active/ /etc/php/apache2-php7.0/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cgi-php7.0/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/php/cli-php7.0/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -pipe -march=armv7-a" DISTDIR="/var/cache/distfiles" FCFLAGS="-O2 -pipe -march=armv7-a" FEATURES="assume-digests binpkg-logs ccache compress-build-logs config-protect-if-modified distlocks ebuild-locks fixlafiles keeptemp keepwork merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms split-log strict test test-fail-continue unknown-features-warn unmerge-backup unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe -march=armv7-a" GENTOO_MIRRORS="http://lore.xmw.de/gentoo/" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j4" PKGDIR="/var/cache/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="acl arm armv5te armv6 armv6t2 berkdb bzip2 cli cracklib crypt cxx dri fortran gdbm iconv ipv6 modules ncurses nls nptl openmp pam pcre readline seccomp session ssl tcpd unicode xattr zlib" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_ARM="edsp thumb thumb2 v4 v5 v6 v7 vfp" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby21" USERLAND="GNU" VIDEO_CARDS="exynos fbdev omap dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON Stable on alpha. Stable for HPPA. sparc stable ia64 is not a security supported arch please continue with stabilization of that. Arches, Thank you for your work. Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No (In reply to Yury German from comment #12) > ia64 is not a security supported arch please continue with stabilization of > that. > > Arches, Thank you for your work. > Maintainer(s), please drop the vulnerable version(s). > > GLSA Vote: No Done. commit 34021ba28f658439a6c09fd7ae78ebd9bd932ccb Author: David Seifert <soap@gentoo.org> Date: Tue May 16 08:39:11 2017 +0200 media-libs/jasper: Remove old Maintainer(s), Thank you for your work. Thank you all for you work. Closing as [noglsa]. |