From ${URL} : #2014-012 JasPer input sanitization errors Description: The JasPer project is an open source implementation for the JPEG-2000 codec. The library is affected by a double-free vulnerability in function jas_iccattrval_destroy() as well as a heap-based buffer overflow in function jp2_decode(). A specially crafted jp2 file, can be used to trigger the vulnerabilities. Affected version: JasPer <= 1.900.1 Fixed version: JasPer, N/A Credit: vulnerability report received from the Google Security Team. CVE: CVE-2014-8137 (double-free), CVE-2014-8138 (heap overflow) Timeline: 2014-12-10: vulnerability report received 2014-12-10: contacted affected vendors 2014-12-10: assigned CVEs 2014-12-18: patch contributed by Tomas Hoger from Red Hat Product Security 2014-12-18: advisory release References: http://www.ece.uvic.ca/~frodo/jasper https://bugzilla.redhat.com/show_bug.cgi?id=1173157 https://bugzilla.redhat.com/show_bug.cgi?id=1173162 Permalink: http://www.ocert.org/advisories/ocert-2014-012.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*jasper-1.900.1-r8 (04 Jan 2015) + + 04 Jan 2015; Justin Lecher <jlec@gentoo.org> +jasper-1.900.1-r8.ebuild, + +files/jasper-CVE-2014-8137.patch, +files/jasper-CVE-2014-8138.patch: + Import fixes for CVE-2014-8137/8 from fedora, #533744 +
@arches, please stabilize.
CVE-2014-8138 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8138): Heap-based buffer overflow in the jp2_decode function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 file. CVE-2014-8137 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8137): Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file.
(In reply to Justin Lecher from comment #2) > @arches, please stabilize. You're supposed to say what is to be stabilised.
(In reply to Jeroen Roovers from comment #4) > (In reply to Justin Lecher from comment #2) > > @arches, please stabilize. > > You're supposed to say what is to be stabilised. How about media-libs/jasper-1.900.1-r8 ?
amd64 stable
x86 stable
Stable for HPPA.
> > How about media-libs/jasper-1.900.1-r8 ? Something like this: Arches, please test and mark stable: =media-libs/jasper-1.900.1-r8 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86" Thank you!
ppc stable
Stable on alpha.
arm stable
sparc stable
ppc64 stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
+ 16 Jan 2015; Justin Lecher <jlec@gentoo.org> -jasper-1.900.1-r7.ebuild: + Cleanup vulnerable versions for CVE-2014-{8137,8138}, #533744 +
Thanks everyone. GLSA draft needs another review.
This issue was resolved and addressed in GLSA 201503-01 at http://security.gentoo.org/glsa/glsa-201503-01.xml by GLSA coordinator Mikle Kolyada (Zlogene).