Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 599430 (CVE-2016-9262) - <media-libs/jasper-1.900.26: use after free in jas_realloc (jas_malloc.c)
Summary: <media-libs/jasper-1.900.26: use after free in jas_realloc (jas_malloc.c)
Alias: CVE-2016-9262
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa cve]
Depends on:
Reported: 2016-11-10 22:20 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-07-08 12:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-10 22:20:55 UTC
From $URL:

jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

A crafted image, maybe posted in the past as testcase for another bug, causes in the 1.900.18 version a use-after-free. No fuzzers involved at this time.

Affected version:

Fixed version:

Commit fix:

This bug was discovered by Agostino Sarubbo of Gentoo.



2016-11-02: bug discovered and reported to upstream
2016-11-06: upstream released a patch and 1.900.22
2016-11-07: blog post about the issue
2016-11-10: CVE assigned
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-10 22:26:43 UTC
@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Agostino Sarubbo gentoo-dev 2016-11-11 09:01:27 UTC
hello Thomas.

I didn't file the bugs here because for now, jasper is in continue update because of security bugs.

There are dozens of bugs still open. I'd like to stabilize a version which at least covers something else, to avoid arches to stabilize more versions in few days.
Comment 3 Agostino Sarubbo gentoo-dev 2016-11-29 17:01:42 UTC
The first upstream version that contains the fix for this bug is 1.900.22
The first fixed version in tree was 1.900.26

So it will be fixed in the next stabilization of jasper.

I'm adding stable blocked because there are some things that seems to not work in the latest jasper regards multilib and gold/bfd
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-05-21 06:22:12 UTC
Version 2.0.12 in tree. Old removed
Arches and Maintainer(s), Thank you for your work.
Added to an existing GLSA Request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-07-08 12:39:47 UTC
This issue was resolved and addressed in
 GLSA 201707-07 at
by GLSA coordinator Thomas Deutschmann (whissi).