Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 635552 (CVE-2017-1000050, CVE-2017-14229, CVE-2017-14232) - media-libs/jasper: Multiple vulnerabilities
Summary: media-libs/jasper: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-1000050, CVE-2017-14229, CVE-2017-14232
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-27 01:33 UTC by GLSAMaker/CVETool Bot
Modified: 2019-08-09 20:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-27 01:33:30 UTC
CVE-2017-14229 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14229):
  There is an infinite loop in the jpc_dec_tileinit function in jpc/jpc_dec.c
  of Jasper 2.0.13. It will lead to a remote denial of service attack.

CVE-2017-14132 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14132):
  JasPer 2.0.13 allows remote attackers to cause a denial of service
  (heap-based buffer over-read and application crash) via a crafted image,
  related to the jas_image_ishomosamp function in libjasper/base/jas_image.c.

CVE-2017-1000050 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000050):
  JasPer 2.0.12 is vulnerable to a NULL pointer exception in the function
  jp2_encode which failed to check to see if the image contained at least one
  component resulting in a denial-of-service.
Comment 1 Christopher Díaz Riveros gentoo-dev Security 2017-10-27 01:35:17 UTC
@Maintainers JasPer 2.0.14 is available, please call for stabilization when ready.

Thank you
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2018-11-12 23:04:33 UTC
Sci Team
Please confirm if this is included in 2.0.14 that is currently stable so we can close the bug
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2018-11-13 00:02:00 UTC
Never Mind answering myself for version 2.0.14 currently stable
CVE-2017-14229 - NOT Fixed
- https://github.com/mdadams/jasper/issues/146
CVE-2017-14132 - Not fixed
- https://github.com/mdadams/jasper/issues/147
CVE-2017-1000050 - Fixed - Version 2.0.13
- https://github.com/mdadams/jasper/issues/120
Comment 4 Larry the Git Cow gentoo-dev 2019-07-14 10:30:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c70fe723dcfe0fabab75f3a76942207018e83e1f

commit c70fe723dcfe0fabab75f3a76942207018e83e1f
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2019-07-14 10:29:20 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2019-07-14 10:29:20 +0000

    package.mask: Last rite media-libs/jasper
    
    Bug: https://bugs.gentoo.org/601068
    Bug: https://bugs.gentoo.org/614028
    Bug: https://bugs.gentoo.org/614032
    Bug: https://bugs.gentoo.org/614566
    Bug: https://bugs.gentoo.org/619120
    Bug: https://bugs.gentoo.org/624988
    Bug: https://bugs.gentoo.org/629286
    Bug: https://bugs.gentoo.org/635552
    Bug: https://bugs.gentoo.org/662160
    Bug: https://bugs.gentoo.org/674154
    Bug: https://bugs.gentoo.org/674214
    Bug: https://bugs.gentoo.org/684826
    Bug: https://bugs.gentoo.org/689784
    Signed-off-by: David Seifert <soap@gentoo.org>

 profiles/base/package.use.mask | 23 +++++++++++++++++++++++
 profiles/package.mask          |  7 +++++++
 2 files changed, 30 insertions(+)
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2019-08-09 20:39:37 UTC
This issue was resolved and addressed in
 GLSA 201908-03 at https://security.gentoo.org/glsa/201908-03
by GLSA coordinator Aaron Bauman (b-man).