From ${URL} : A new double free affecting JasPer JPEG-2000 (libjasper 1.900) has been found triggered by function jasper_image_stop_load. Despite this library is used by many programs ( http://www.ece.uvic.ca/~frodo/jasper/#overview), there is no one providing support, so there is no fix so far. The proposed patch is: http://sourceforge.net/projects/mancha/files/sec/jasper-1.900.1_CVE-2015-5203.diff @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The first upstream version that contains the fix for this bug is 1.900.10 The first fixed version in tree was 1.900.15 So it will be fixed in the next stabilization of jasper. I'm adding stable blocked because there are some things that seems to not work in the latest jasper regards multilib and gold/bfd
Arches and Maintainer(s), Thank you for your work. No longer in tree. GLSA Vote: No Closing as [noglsa].
Added to an existing GLSA Request. Jasper GLSA already in process, adding to it.
This issue was resolved and addressed in GLSA 201707-07 at https://security.gentoo.org/glsa/201707-07 by GLSA coordinator Thomas Deutschmann (whissi).