jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.
A crafted image, maybe posted in the past as testcase for another bug, causes in the 1.900.18 version a use-after-free. No fuzzers involved at this time.
This bug was discovered by Agostino Sarubbo of Gentoo.
2016-11-02: bug discovered and reported to upstream
2016-11-06: upstream released a patch and 1.900.22
2016-11-07: blog post about the issue
2016-11-10: CVE assigned
@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
I didn't file the bugs here because for now, jasper is in continue update because of security bugs.
There are dozens of bugs still open. I'd like to stabilize a version which at least covers something else, to avoid arches to stabilize more versions in few days.
The first upstream version that contains the fix for this bug is 1.900.22
The first fixed version in tree was 1.900.26
So it will be fixed in the next stabilization of jasper.
I'm adding stable blocked because there are some things that seems to not work in the latest jasper regards multilib and gold/bfd
Version 2.0.12 in tree. Old removed
Arches and Maintainer(s), Thank you for your work.
Added to an existing GLSA Request.
This issue was resolved and addressed in
GLSA 201707-07 at https://security.gentoo.org/glsa/201707-07
by GLSA coordinator Thomas Deutschmann (whissi).