Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 533744 (CVE-2014-8137) - <media-libs/jasper-1.900.1-r8: input sanitization errors (CVE-2014-{8137,8138})
Summary: <media-libs/jasper-1.900.1-r8: input sanitization errors (CVE-2014-{8137,8138})
Status: RESOLVED FIXED
Alias: CVE-2014-8137
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-28 09:27 UTC by Agostino Sarubbo
Modified: 2015-03-06 15:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-28 09:27:22 UTC
From ${URL} :

#2014-012 JasPer input sanitization errors

Description:

The JasPer project is an open source implementation for the JPEG-2000 codec.

The library is affected by a double-free vulnerability in function
jas_iccattrval_destroy() as well as a heap-based buffer overflow in function
jp2_decode().

A specially crafted jp2 file, can be used to trigger the vulnerabilities.

Affected version:

JasPer <= 1.900.1

Fixed version:

JasPer, N/A

Credit: vulnerability report received from the Google Security Team.

CVE: CVE-2014-8137 (double-free), CVE-2014-8138 (heap overflow)

Timeline:

2014-12-10: vulnerability report received
2014-12-10: contacted affected vendors
2014-12-10: assigned CVEs
2014-12-18: patch contributed by Tomas Hoger from Red Hat Product Security
2014-12-18: advisory release

References:
http://www.ece.uvic.ca/~frodo/jasper
https://bugzilla.redhat.com/show_bug.cgi?id=1173157
https://bugzilla.redhat.com/show_bug.cgi?id=1173162

Permalink:
http://www.ocert.org/advisories/ocert-2014-012.html



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2015-01-04 18:18:10 UTC
+*jasper-1.900.1-r8 (04 Jan 2015)
+
+  04 Jan 2015; Justin Lecher <jlec@gentoo.org> +jasper-1.900.1-r8.ebuild,
+  +files/jasper-CVE-2014-8137.patch, +files/jasper-CVE-2014-8138.patch:
+  Import fixes for CVE-2014-8137/8 from fedora, #533744
+
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2015-01-04 18:18:37 UTC
@arches, please stabilize.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 18:29:08 UTC
CVE-2014-8138 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8138):
  Heap-based buffer overflow in the jp2_decode function in JasPer 1.900.1 and
  earlier allows remote attackers to cause a denial of service (crash) or
  possibly execute arbitrary code via a crafted JPEG 2000 file.

CVE-2014-8137 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8137):
  Double free vulnerability in the jas_iccattrval_destroy function in JasPer
  1.900.1 and earlier allows remote attackers to cause a denial of service
  (crash) or possibly execute arbitrary code via a crafted ICC color profile
  in a JPEG 2000 image file.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-04 21:53:26 UTC
(In reply to Justin Lecher from comment #2)
> @arches, please stabilize.

You're supposed to say what is to be stabilised.
Comment 5 Justin Lecher (RETIRED) gentoo-dev 2015-01-05 08:26:55 UTC
(In reply to Jeroen Roovers from comment #4)
> (In reply to Justin Lecher from comment #2)
> > @arches, please stabilize.
> 
> You're supposed to say what is to be stabilised.

How about media-libs/jasper-1.900.1-r8 ?
Comment 6 Agostino Sarubbo gentoo-dev 2015-01-05 15:12:50 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-01-05 15:13:20 UTC
x86 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-06 10:09:07 UTC
Stable for HPPA.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2015-01-08 00:17:04 UTC
> 
> How about media-libs/jasper-1.900.1-r8 ?

Something like this:

Arches, please test and mark stable:

=media-libs/jasper-1.900.1-r8

Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"

Thank you!
Comment 10 Agostino Sarubbo gentoo-dev 2015-01-09 08:38:29 UTC
ppc stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2015-01-09 14:03:09 UTC
Stable on alpha.
Comment 12 Markus Meier gentoo-dev 2015-01-11 21:04:47 UTC
arm stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-01-13 10:21:30 UTC
sparc stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-01-14 13:52:03 UTC
ppc64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2015-01-16 08:08:55 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 16 Justin Lecher (RETIRED) gentoo-dev 2015-01-16 08:21:17 UTC
+  16 Jan 2015; Justin Lecher <jlec@gentoo.org> -jasper-1.900.1-r7.ebuild:
+  Cleanup vulnerable versions for CVE-2014-{8137,8138}, #533744
+
Comment 17 Sean Amoss (RETIRED) gentoo-dev Security 2015-01-17 18:46:54 UTC
Thanks everyone.

GLSA draft needs another review.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2015-03-06 15:29:21 UTC
This issue was resolved and addressed in
 GLSA 201503-01 at http://security.gentoo.org/glsa/glsa-201503-01.xml
by GLSA coordinator Mikle Kolyada (Zlogene).