Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 614028 (CVE-2017-5503, CVE-2017-5504, CVE-2017-5505, CVE-2017-6851) - media-libs/jasper: multiple invalid memory access
Summary: media-libs/jasper: multiple invalid memory access
Status: RESOLVED FIXED
Alias: CVE-2017-5503, CVE-2017-5504, CVE-2017-5505, CVE-2017-6851
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
: 618478 618480 618482 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-03-27 09:22 UTC by Agostino Sarubbo
Modified: 2019-08-27 09:07 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-03-28 05:44:40 UTC 
    CVE ID: CVE-2017-5503
   Summary: The dec_clnpass function in libjasper/jpc/jpc_t1dec.c in JasPer 1.900.27 allows remote attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via a crafted image.
 Published: 2017-03-01T15:59:00.000Z
______________________________

    CVE ID: CVE-2017-5504
   Summary: The jpc_undo_roi function in libjasper/jpc/jpc_dec.c in JasPer 1.900.27 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted image.
 Published: 2017-03-01T15:59:00.000Z

______________________________

    CVE ID: CVE-2017-5505
   Summary: The jas_matrix_asl function in jas_seq.c in JasPer 1.900.27 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted image.
 Published: 2017-03-16T15:59:00.000Z

______________________________

    CVE ID: CVE-2017-6851
   Summary: The jas_matrix_bindsub function in jas_seq.c in JasPer 2.0.10 allows remote attackers to cause a denial of service (invalid read) via a crafted image.
 Published: 2017-03-15T14:59:01.000Z
Comment 2 Agostino Sarubbo gentoo-dev 2017-05-15 06:56:21 UTC 
*** Bug 618478 has been marked as a duplicate of this bug. ***
Comment 3 Agostino Sarubbo gentoo-dev 2017-05-15 06:56:45 UTC 
*** Bug 618480 has been marked as a duplicate of this bug. ***
Comment 4 Agostino Sarubbo gentoo-dev 2017-05-15 06:57:16 UTC 
*** Bug 618482 has been marked as a duplicate of this bug. ***
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2018-11-13 00:26:38 UTC 
Status as of 2.014 - Upstream Not Fixed

CVE-2017-5503 - Not Fixed
- https://github.com/mdadams/jasper/issues/90
CVE-2017-5504 - Not Fixed
- https://github.com/mdadams/jasper/issues/89
CVE-2017-5505 - Not Fixed
- https://github.com/mdadams/jasper/issues/88
CVE-2017-6851 - Not Fixed
- https://github.com/mdadams/jasper/issues/113
Comment 6 Larry the Git Cow gentoo-dev 2019-07-14 10:30:02 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c70fe723dcfe0fabab75f3a76942207018e83e1f

commit c70fe723dcfe0fabab75f3a76942207018e83e1f
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2019-07-14 10:29:20 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2019-07-14 10:29:20 +0000

    package.mask: Last rite media-libs/jasper
    
    Bug: https://bugs.gentoo.org/601068
    Bug: https://bugs.gentoo.org/614028
    Bug: https://bugs.gentoo.org/614032
    Bug: https://bugs.gentoo.org/614566
    Bug: https://bugs.gentoo.org/619120
    Bug: https://bugs.gentoo.org/624988
    Bug: https://bugs.gentoo.org/629286
    Bug: https://bugs.gentoo.org/635552
    Bug: https://bugs.gentoo.org/662160
    Bug: https://bugs.gentoo.org/674154
    Bug: https://bugs.gentoo.org/674214
    Bug: https://bugs.gentoo.org/684826
    Bug: https://bugs.gentoo.org/689784
    Signed-off-by: David Seifert <soap@gentoo.org>

 profiles/base/package.use.mask | 23 +++++++++++++++++++++++
 profiles/package.mask          |  7 +++++++
 2 files changed, 30 insertions(+)
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2019-08-09 20:39:08 UTC 
This issue was resolved and addressed in
 GLSA 201908-03 at https://security.gentoo.org/glsa/201908-03
by GLSA coordinator Aaron Bauman (b-man).
Comment 8 Larry the Git Cow gentoo-dev 2019-08-27 09:07:37 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77aebdf0b31765b33831ca5b02ea3d98f13c46cd

commit 77aebdf0b31765b33831ca5b02ea3d98f13c46cd
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2019-08-27 09:07:01 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2019-08-27 09:07:01 +0000

    media-libs/jasper: Remove from tree
    
    Bug: https://bugs.gentoo.org/674214
    Closes: https://bugs.gentoo.org/601068
    Closes: https://bugs.gentoo.org/614028
    Closes: https://bugs.gentoo.org/614032
    Closes: https://bugs.gentoo.org/614566
    Closes: https://bugs.gentoo.org/619120
    Closes: https://bugs.gentoo.org/624988
    Closes: https://bugs.gentoo.org/629286
    Closes: https://bugs.gentoo.org/635552
    Closes: https://bugs.gentoo.org/662160
    Closes: https://bugs.gentoo.org/674154
    Closes: https://bugs.gentoo.org/684826
    Closes: https://bugs.gentoo.org/689784
    Package-Manager: Portage-2.3.72, Repoman-2.3.17
    Signed-off-by: David Seifert <soap@gentoo.org>

 media-libs/jasper/Manifest                         |  2 -
 .../files/jasper-2.0.14-fix-test-suite.patch       | 28 ---------
 media-libs/jasper/jasper-2.0.14.ebuild             | 67 ----------------------
 media-libs/jasper/jasper-2.0.16.ebuild             | 65 ---------------------
 media-libs/jasper/jasper-9999.ebuild               | 65 ---------------------
 media-libs/jasper/metadata.xml                     | 11 ----
 6 files changed, 238 deletions(-)