Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629286 (CVE-2017-13745, CVE-2017-13746, CVE-2017-13747, CVE-2017-13748, CVE-2017-13749, CVE-2017-13750, CVE-2017-13751, CVE-2017-13752, CVE-2017-13753) - media-libs/jasper: multiple Vulnerabilities (CVE-2017-{13745,13746,13747,13748,13749,13750,13751,13752,3745,3746,3747,3748,3749,3750,3751,3752,3753})
Summary: media-libs/jasper: multiple Vulnerabilities (CVE-2017-{13745,13746,13747,1374...
Status: RESOLVED FIXED
Alias: CVE-2017-13745, CVE-2017-13746, CVE-2017-13747, CVE-2017-13748, CVE-2017-13749, CVE-2017-13750, CVE-2017-13751, CVE-2017-13752, CVE-2017-13753
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-29 13:16 UTC by Aleksandr Wagner (Kivak)
Modified: 2019-08-27 09:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-08-29 13:16:52 UTC 
CVE-2017-13745 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13745):

There is a reachable assertion abort in the function jpc_dec_process_sot() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service attack. 

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1485274

CVE-2017-13746 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13746):

There is a reachable assertion abort in the function jpc_dec_process_siz() in jpc/jpc_dec.c:1297 in JasPer 2.0.12 that will lead to a remote denial of service attack. 

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1485286

CVE-2017-13747 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13747):

There is a reachable assertion abort in the function jpc_floorlog2() in jpc/jpc_math.c in JasPer 2.0.12 that will lead to a remote denial of service attack. 

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1485282

CVE-2017-13748 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13748):

There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a remote denial of service attack. 

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1485287

CVE-2017-13749 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13749):

There is a reachable assertion abort in the function jpc_pi_nextrpcl() in jpc/jpc_t2cod.c in JasPer 2.0.12 that will lead to a remote denial of service attack. 

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1485285

CVE-2017-13750 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13750):

There is a reachable assertion abort in the function jpc_dec_process_siz() in jpc/jpc_dec.c:1296 in JasPer 2.0.12 that will lead to a remote denial of service attack. 

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1485280

CVE-2017-13751 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13751):

There is a reachable assertion abort in the function calcstepsizes() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service attack. 

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1485283

CVE-2017-13752 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13752):

There is a reachable assertion abort in the function jpc_dequantize() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service attack. 

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1485276

CVE-2017-13753 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13753):

There is a reachable assertion abort in the function JPC_NOMINALGAIN() in jpc/jpc_t1cod.c in JasPer 2.0.12 that will lead to a remote denial of service attack. 

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1485272
Comment 1 Agostino Sarubbo gentoo-dev 2017-08-29 13:24:23 UTC 
They are duplicates of my findings on ~1year ago:
https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure/
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-10-19 17:38:30 UTC 
CVE-2017-13752 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13752):
  There is a reachable assertion abort in the function jpc_dequantize() in
  jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service
  attack.

CVE-2017-13751 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13751):
  There is a reachable assertion abort in the function calcstepsizes() in
  jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service
  attack.

CVE-2017-13750 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13750):
  There is a reachable assertion abort in the function jpc_dec_process_siz()
  in jpc/jpc_dec.c:1296 in JasPer 2.0.12 that will lead to a remote denial of
  service attack.

CVE-2017-13749 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13749):
  There is a reachable assertion abort in the function jpc_pi_nextrpcl() in
  jpc/jpc_t2cod.c in JasPer 2.0.12 that will lead to a remote denial of
  service attack.

CVE-2017-13748 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13748):
  There are lots of memory leaks in JasPer 2.0.12, triggered in the function
  jas_strdup() in base/jas_string.c, that will lead to a remote denial of
  service attack.

CVE-2017-13747 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13747):
  There is a reachable assertion abort in the function jpc_floorlog2() in
  jpc/jpc_math.c in JasPer 2.0.12 that will lead to a remote denial of service
  attack.

CVE-2017-13746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13746):
  There is a reachable assertion abort in the function jpc_dec_process_siz()
  in jpc/jpc_dec.c:1297 in JasPer 2.0.12 that will lead to a remote denial of
  service attack.

CVE-2017-13745 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13745):
  There is a reachable assertion abort in the function jpc_dec_process_sot()
  in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of
  service attack.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2018-11-12 23:43:22 UTC 
The following are for Version 2.0.14 currently in Tree

CVE-2017-13745 - Not Fixed
   - https://github.com/mdadams/jasper/issues/166
CVE-2017-13746 - Not Fixed
   - https://github.com/mdadams/jasper/issues/165
CVE-2017-13747 - Not Fixed
   - https://github.com/mdadams/jasper/issues/71
CVE-2017-13748 - Not Fixed
   - https://github.com/mdadams/jasper/issues/168
   - Fix Request - https://github.com/mdadams/jasper/pull/159
CVE-2017-13749 - Not Fixed
   - https://github.com/mdadams/jasper/issues/167
CVE-2017-13750 - Not Fixed
   - https://github.com/mdadams/jasper/issues/165
CVE-2017-13751 - not Fixed
   - https://github.com/mdadams/jasper/issues/83
CVE-2017-13752 - Not Fixed
   - https://github.com/mdadams/jasper/issues/56
CVE-2017-13753 - Could not find on Githumb - Unknown
Comment 4 Larry the Git Cow gentoo-dev 2019-07-14 10:29:54 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c70fe723dcfe0fabab75f3a76942207018e83e1f

commit c70fe723dcfe0fabab75f3a76942207018e83e1f
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2019-07-14 10:29:20 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2019-07-14 10:29:20 +0000

    package.mask: Last rite media-libs/jasper
    
    Bug: https://bugs.gentoo.org/601068
    Bug: https://bugs.gentoo.org/614028
    Bug: https://bugs.gentoo.org/614032
    Bug: https://bugs.gentoo.org/614566
    Bug: https://bugs.gentoo.org/619120
    Bug: https://bugs.gentoo.org/624988
    Bug: https://bugs.gentoo.org/629286
    Bug: https://bugs.gentoo.org/635552
    Bug: https://bugs.gentoo.org/662160
    Bug: https://bugs.gentoo.org/674154
    Bug: https://bugs.gentoo.org/674214
    Bug: https://bugs.gentoo.org/684826
    Bug: https://bugs.gentoo.org/689784
    Signed-off-by: David Seifert <soap@gentoo.org>

 profiles/base/package.use.mask | 23 +++++++++++++++++++++++
 profiles/package.mask          |  7 +++++++
 2 files changed, 30 insertions(+)
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2019-08-09 20:39:30 UTC 
This issue was resolved and addressed in
 GLSA 201908-03 at https://security.gentoo.org/glsa/201908-03
by GLSA coordinator Aaron Bauman (b-man).
Comment 6 Larry the Git Cow gentoo-dev 2019-08-27 09:07:33 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77aebdf0b31765b33831ca5b02ea3d98f13c46cd

commit 77aebdf0b31765b33831ca5b02ea3d98f13c46cd
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2019-08-27 09:07:01 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2019-08-27 09:07:01 +0000

    media-libs/jasper: Remove from tree
    
    Bug: https://bugs.gentoo.org/674214
    Closes: https://bugs.gentoo.org/601068
    Closes: https://bugs.gentoo.org/614028
    Closes: https://bugs.gentoo.org/614032
    Closes: https://bugs.gentoo.org/614566
    Closes: https://bugs.gentoo.org/619120
    Closes: https://bugs.gentoo.org/624988
    Closes: https://bugs.gentoo.org/629286
    Closes: https://bugs.gentoo.org/635552
    Closes: https://bugs.gentoo.org/662160
    Closes: https://bugs.gentoo.org/674154
    Closes: https://bugs.gentoo.org/684826
    Closes: https://bugs.gentoo.org/689784
    Package-Manager: Portage-2.3.72, Repoman-2.3.17
    Signed-off-by: David Seifert <soap@gentoo.org>

 media-libs/jasper/Manifest                         |  2 -
 .../files/jasper-2.0.14-fix-test-suite.patch       | 28 ---------
 media-libs/jasper/jasper-2.0.14.ebuild             | 67 ----------------------
 media-libs/jasper/jasper-2.0.16.ebuild             | 65 ---------------------
 media-libs/jasper/jasper-9999.ebuild               | 65 ---------------------
 media-libs/jasper/metadata.xml                     | 11 ----
 6 files changed, 238 deletions(-)