Summary: | media-libs/jasper: multiple Vulnerabilities (CVE-2017-{13745,13746,13747,13748,13749,13750,13751,13752,3745,3746,3747,3748,3749,3750,3751,3752,3753}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Aleksandr Wagner (Kivak) <alwag> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | sci |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- |
Description
Aleksandr Wagner (Kivak)
2017-08-29 13:16:52 UTC
They are duplicates of my findings on ~1year ago: https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure/ CVE-2017-13752 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13752): There is a reachable assertion abort in the function jpc_dequantize() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service attack. CVE-2017-13751 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13751): There is a reachable assertion abort in the function calcstepsizes() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service attack. CVE-2017-13750 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13750): There is a reachable assertion abort in the function jpc_dec_process_siz() in jpc/jpc_dec.c:1296 in JasPer 2.0.12 that will lead to a remote denial of service attack. CVE-2017-13749 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13749): There is a reachable assertion abort in the function jpc_pi_nextrpcl() in jpc/jpc_t2cod.c in JasPer 2.0.12 that will lead to a remote denial of service attack. CVE-2017-13748 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13748): There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a remote denial of service attack. CVE-2017-13747 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13747): There is a reachable assertion abort in the function jpc_floorlog2() in jpc/jpc_math.c in JasPer 2.0.12 that will lead to a remote denial of service attack. CVE-2017-13746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13746): There is a reachable assertion abort in the function jpc_dec_process_siz() in jpc/jpc_dec.c:1297 in JasPer 2.0.12 that will lead to a remote denial of service attack. CVE-2017-13745 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13745): There is a reachable assertion abort in the function jpc_dec_process_sot() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service attack. The following are for Version 2.0.14 currently in Tree CVE-2017-13745 - Not Fixed - https://github.com/mdadams/jasper/issues/166 CVE-2017-13746 - Not Fixed - https://github.com/mdadams/jasper/issues/165 CVE-2017-13747 - Not Fixed - https://github.com/mdadams/jasper/issues/71 CVE-2017-13748 - Not Fixed - https://github.com/mdadams/jasper/issues/168 - Fix Request - https://github.com/mdadams/jasper/pull/159 CVE-2017-13749 - Not Fixed - https://github.com/mdadams/jasper/issues/167 CVE-2017-13750 - Not Fixed - https://github.com/mdadams/jasper/issues/165 CVE-2017-13751 - not Fixed - https://github.com/mdadams/jasper/issues/83 CVE-2017-13752 - Not Fixed - https://github.com/mdadams/jasper/issues/56 CVE-2017-13753 - Could not find on Githumb - Unknown The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c70fe723dcfe0fabab75f3a76942207018e83e1f commit c70fe723dcfe0fabab75f3a76942207018e83e1f Author: David Seifert <soap@gentoo.org> AuthorDate: 2019-07-14 10:29:20 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2019-07-14 10:29:20 +0000 package.mask: Last rite media-libs/jasper Bug: https://bugs.gentoo.org/601068 Bug: https://bugs.gentoo.org/614028 Bug: https://bugs.gentoo.org/614032 Bug: https://bugs.gentoo.org/614566 Bug: https://bugs.gentoo.org/619120 Bug: https://bugs.gentoo.org/624988 Bug: https://bugs.gentoo.org/629286 Bug: https://bugs.gentoo.org/635552 Bug: https://bugs.gentoo.org/662160 Bug: https://bugs.gentoo.org/674154 Bug: https://bugs.gentoo.org/674214 Bug: https://bugs.gentoo.org/684826 Bug: https://bugs.gentoo.org/689784 Signed-off-by: David Seifert <soap@gentoo.org> profiles/base/package.use.mask | 23 +++++++++++++++++++++++ profiles/package.mask | 7 +++++++ 2 files changed, 30 insertions(+) This issue was resolved and addressed in GLSA 201908-03 at https://security.gentoo.org/glsa/201908-03 by GLSA coordinator Aaron Bauman (b-man). The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77aebdf0b31765b33831ca5b02ea3d98f13c46cd commit 77aebdf0b31765b33831ca5b02ea3d98f13c46cd Author: David Seifert <soap@gentoo.org> AuthorDate: 2019-08-27 09:07:01 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2019-08-27 09:07:01 +0000 media-libs/jasper: Remove from tree Bug: https://bugs.gentoo.org/674214 Closes: https://bugs.gentoo.org/601068 Closes: https://bugs.gentoo.org/614028 Closes: https://bugs.gentoo.org/614032 Closes: https://bugs.gentoo.org/614566 Closes: https://bugs.gentoo.org/619120 Closes: https://bugs.gentoo.org/624988 Closes: https://bugs.gentoo.org/629286 Closes: https://bugs.gentoo.org/635552 Closes: https://bugs.gentoo.org/662160 Closes: https://bugs.gentoo.org/674154 Closes: https://bugs.gentoo.org/684826 Closes: https://bugs.gentoo.org/689784 Package-Manager: Portage-2.3.72, Repoman-2.3.17 Signed-off-by: David Seifert <soap@gentoo.org> media-libs/jasper/Manifest | 2 - .../files/jasper-2.0.14-fix-test-suite.patch | 28 --------- media-libs/jasper/jasper-2.0.14.ebuild | 67 ---------------------- media-libs/jasper/jasper-2.0.16.ebuild | 65 --------------------- media-libs/jasper/jasper-9999.ebuild | 65 --------------------- media-libs/jasper/metadata.xml | 11 ---- 6 files changed, 238 deletions(-) |