https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-write-in-dec_clnpass-jpc_t1dec-c https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-read-in-jpc_undo_roi-jpc_dec-c https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-read-in-jas_matrix_asl-jas_seq-c https://blogs.gentoo.org/ago/2017/01/25/jasper-invalid-memory-read-in-jas_matrix_bindsub-jas_seq-c
CVE ID: CVE-2017-5503 Summary: The dec_clnpass function in libjasper/jpc/jpc_t1dec.c in JasPer 1.900.27 allows remote attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via a crafted image. Published: 2017-03-01T15:59:00.000Z ______________________________ CVE ID: CVE-2017-5504 Summary: The jpc_undo_roi function in libjasper/jpc/jpc_dec.c in JasPer 1.900.27 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted image. Published: 2017-03-01T15:59:00.000Z ______________________________ CVE ID: CVE-2017-5505 Summary: The jas_matrix_asl function in jas_seq.c in JasPer 1.900.27 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted image. Published: 2017-03-16T15:59:00.000Z ______________________________ CVE ID: CVE-2017-6851 Summary: The jas_matrix_bindsub function in jas_seq.c in JasPer 2.0.10 allows remote attackers to cause a denial of service (invalid read) via a crafted image. Published: 2017-03-15T14:59:01.000Z
*** Bug 618478 has been marked as a duplicate of this bug. ***
*** Bug 618480 has been marked as a duplicate of this bug. ***
*** Bug 618482 has been marked as a duplicate of this bug. ***
Status as of 2.014 - Upstream Not Fixed CVE-2017-5503 - Not Fixed - https://github.com/mdadams/jasper/issues/90 CVE-2017-5504 - Not Fixed - https://github.com/mdadams/jasper/issues/89 CVE-2017-5505 - Not Fixed - https://github.com/mdadams/jasper/issues/88 CVE-2017-6851 - Not Fixed - https://github.com/mdadams/jasper/issues/113
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c70fe723dcfe0fabab75f3a76942207018e83e1f commit c70fe723dcfe0fabab75f3a76942207018e83e1f Author: David Seifert <soap@gentoo.org> AuthorDate: 2019-07-14 10:29:20 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2019-07-14 10:29:20 +0000 package.mask: Last rite media-libs/jasper Bug: https://bugs.gentoo.org/601068 Bug: https://bugs.gentoo.org/614028 Bug: https://bugs.gentoo.org/614032 Bug: https://bugs.gentoo.org/614566 Bug: https://bugs.gentoo.org/619120 Bug: https://bugs.gentoo.org/624988 Bug: https://bugs.gentoo.org/629286 Bug: https://bugs.gentoo.org/635552 Bug: https://bugs.gentoo.org/662160 Bug: https://bugs.gentoo.org/674154 Bug: https://bugs.gentoo.org/674214 Bug: https://bugs.gentoo.org/684826 Bug: https://bugs.gentoo.org/689784 Signed-off-by: David Seifert <soap@gentoo.org> profiles/base/package.use.mask | 23 +++++++++++++++++++++++ profiles/package.mask | 7 +++++++ 2 files changed, 30 insertions(+)
This issue was resolved and addressed in GLSA 201908-03 at https://security.gentoo.org/glsa/201908-03 by GLSA coordinator Aaron Bauman (b-man).
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77aebdf0b31765b33831ca5b02ea3d98f13c46cd commit 77aebdf0b31765b33831ca5b02ea3d98f13c46cd Author: David Seifert <soap@gentoo.org> AuthorDate: 2019-08-27 09:07:01 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2019-08-27 09:07:01 +0000 media-libs/jasper: Remove from tree Bug: https://bugs.gentoo.org/674214 Closes: https://bugs.gentoo.org/601068 Closes: https://bugs.gentoo.org/614028 Closes: https://bugs.gentoo.org/614032 Closes: https://bugs.gentoo.org/614566 Closes: https://bugs.gentoo.org/619120 Closes: https://bugs.gentoo.org/624988 Closes: https://bugs.gentoo.org/629286 Closes: https://bugs.gentoo.org/635552 Closes: https://bugs.gentoo.org/662160 Closes: https://bugs.gentoo.org/674154 Closes: https://bugs.gentoo.org/684826 Closes: https://bugs.gentoo.org/689784 Package-Manager: Portage-2.3.72, Repoman-2.3.17 Signed-off-by: David Seifert <soap@gentoo.org> media-libs/jasper/Manifest | 2 - .../files/jasper-2.0.14-fix-test-suite.patch | 28 --------- media-libs/jasper/jasper-2.0.14.ebuild | 67 ---------------------- media-libs/jasper/jasper-2.0.16.ebuild | 65 --------------------- media-libs/jasper/jasper-9999.ebuild | 65 --------------------- media-libs/jasper/metadata.xml | 11 ---- 6 files changed, 238 deletions(-)