The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files, as originally demonstrated using imagemagick convert.
sci please advise.
Hi guys, Thanks for the heads-up! I just had a look at bug #413041 in Debian's bugzilla and what a mess! In any case, I just pushed out jasper-1.900.1-r1 which has as the fix for the overflow in jpc/jpc_cs.c. This addresses the problems with the testfiles broken2.jp2 and broken4.jp2 as posted in Debian's bugzilla. However, the other ones (broken.jpc, ..) still cause segfaults on my x86 box and are still unresolved in debian as well AFAIKT. How should we proceed from here? Thanks, Markus
My apologies, I didn't mean to close this one at all :( I don't know what happened! Reopening..... Markus
I guess you checked "Resolve bug" before comitting:) Markus do you have any idea about a possible timeframe for the remaining fixes? The issue doesn't seem too serious so I'd rather avoid calling arches twice if it's not needed.
Unfortunately, I don't know jasper well at all so I don't really have a time frame yet for when the rest will be fixed and by whom. I'll keep an eye on debian's bugzilla for any progress. I suspect that the best way to proceed would be to ping upstream, make them aware of the problems (not sure if this has happened yet) and hope they will provide an updated release that fixes these issues. I'll ping them later and post back with any news. Thanks, Markus
Markus, any news? Otherwise I'll call arches.
Hi Sune, Sorry for the delay! I just heard back from upstream and here's what they have to say ----------- SNIP ---------------- On Mon, 21 May 2007, Markus Dittrich wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Greetings and sorry to bug you with this. > A few days a ago a security advisory > was issued for libjasper > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2721 I will add your email to my work queue for JasPer. Since I do not have much time to work on JasPer these days, it may take a while before I can resolve the issues mentioned in your email. --Michael ----------- SNIP ------------------------------------------------- Sounds to me as if the remaining issues won't get resolved in the very near future. Nothing has happened over at debian regarding the remaining issues either AFAICT. Hence, maybe we should just go ahead and push out what we have so far. What do you think? Best, Markus
Thx Micheal, lets get this stabled. Arches please test and mark stable. Target keywords are: jasper-1.900.1-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
media-libs/jasper-1.900.1-r1 USE="jpeg opengl" 1. emerges on x86 2. passes test suite 3. passes collision test 4. works Portage 2.1.2.7 (default-linux/x86/2006.1, gcc-4.1.2, glibc-2.5-r3, 2.6.17-gentoo-r8-panic i686) ================================================================= System uname: 2.6.17-gentoo-r8-panic i686 Intel(R) Pentium(R) M processor 2.00GHz Gentoo Base System release 1.12.9 Timestamp of tree: Mon, 04 Jun 2007 08:00:01 +0000 ccache version 2.4 [disabled] dev-java/java-config: 1.3.7, 2.0.32 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O3 -march=pentium-m -msse2 -mmmx -msse -mfpmath=sse -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O3 -march=pentium-m -msse2 -mmmx -msse -mfpmath=sse -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="it_IT.UTF-8" LC_ALL="C" LINGUAS="it" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/webapps-experimental /usr/portage/local/layman/sunrise" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acpi adns alsa apache arts asf ati avi bash-completion beagle berkdb bitmap-fonts browserplugin bzip2 cairo caps cdr cli cracklib crd crypt cups curl daap dbus dga djvu dmi dri dts dvd dvdr dvi emacs evo exif fbcon ffmpeg firefox flac foomatic fortran gdbm gif gimpprint glitz gnome gnutls gpm gtk hal i810 iconv imagemagick intel ipod ipv6 isdnlog java jpeg kde libg++ libnotify libsexy lns mad midi mmap mmx mng mono mozilla moznocompose moznoirc moznomail mozsvg mp3 mp4 mpeg mudflap musepack nautilus ncurses network njb nls nptl nptlonly nsplugin numeric ogg ole opengl openmp openntpd oss pam pcre pdf perl php png portaudio posix ppds pppd pwdb python qt qt3 radeon readline real reflection samba sdl session sndfile spl sse sse2 ssl svg t1lib tcpd test theora threads truetype-fonts type1-fonts unicode usb v4l vcd vorbis win32codecs wma wmf wmv wxwindows x264 x86 xine xml2 xorg xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="it" USERLAND="GNU" VIDEO_CARDS="vesa i810 vga" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS For me Stable in x86
The update breaks ABI thus it would be nice to have a big fat usual "revdep-rebuild" warning sticked to it. It breaks digikam at least.
Markus please provide an updated elog warning. Arches I guess you can just continue stable marking.
Stable for HPPA.
sparc stable and added the note myself.
(In reply to comment #13) > sparc stable and added the note myself. > Thanks much! Unfortunately, I wasn't aware of the ABI break. I really wonder if I should ask the graphics folks if they would be willing to take over this package since the sci herd doesn't quite seem like its proper home:) Best, Markus
ppc64 stable
ppc stable
x86 stable
alpha/ia64 stable
media-libs/jasper-1.900.1-r1 is stable on amd64 1) Emerges cleanly with USE="X jpeg jpeg2k mpeg perl png truetype xml zlib -bzip2 -doc -fpx -graphviz -gs -jbig -lcms -nocxx -tiff -wmf" 2) No Collisions 3) Works Portage 2.1.2.7 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.5-r3, 2.6.22-rc4-kamikaze x86_64) ================================================================= System uname: 2.6.22-rc4-kamikaze x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz Gentoo Base System release 1.12.9 Timestamp of tree: Thu, 07 Jun 2007 15:00:01 +0000 dev-java/java-config: 1.3.7, 2.0.32 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.7.9-r1, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=nocona -fomit-frame-pointer -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -march=nocona -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test" GENTOO_MIRRORS="http://gentoo.osuosl.org/ http://distro.ibiblio.org/pub/linux/distributions/gentoo/ http://www.gtlib.gatech.edu/pub/gentoo " MAKEOPTS="-j3" PKGDIR="/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X aac acl alsa amd64 berkdb bitmap-fonts cli cracklib crypt cups dbus dri flac fortran gdbm gpm hal iconv ipv6 isdnlog jpeg kde kdeenablefinal libg++ mad midi mmx mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp oss pam pcre perl png pppd python qt4 readline reflection session spl sse sse2 ssl symlink tcpd test truetype truetype-fonts type1-fonts unicode vorbis xml xorg zlib" ALSA_CARDS="usb-audio hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
sorry for the delay, amd64 stable, thanks Kenneth
I vote NO.
"possible?" just "crash"? Then i vote noglsa