614030 – (CVE-2017-6850) <media-libs/jasper-2.0.14: NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c) (CVE-2017-6850)

Bug 614030 (CVE-2017-6850) - <media-libs/jasper-2.0.14: NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c) (CVE-2017-6850)

Summary: <media-libs/jasper-2.0.14: NULL pointer dereference in jp2_cdef_destroy (jp2_...

Status:	RESOLVED FIXED

Alias:	CVE-2017-6850

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://blogs.gentoo.org/ago/2017/01/...
Whiteboard:	B3 [noglsa cve]
Keywords:

Duplicates (1):	624986 (view as bug list)
Depends on:
Blocks:

Reported:	2017-03-27 09:24 UTC by Agostino Sarubbo
Modified:	2018-05-15 14:58 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	media-libs/jasper-2.0.14
Runtime testing required:	No

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-03-27 09:24:49 UTC

Details at $URL.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Yury German Gentoo Infrastructure

2017-03-28 06:15:11 UTC

CVE ID: CVE-2017-6850
   Summary: The jp2_cdef_destroy function in jp2_cod.c in JasPer before 2.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted image.
 Published: 2017-03-15T14:59:01.000Z

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-03 20:32:12 UTC

Fixed in v2.0.13 via https://github.com/mdadams/jasper/commit/e96fc4fdd525fa0ede28074a7e2b1caf94b58b0d

@ Maintainer(s): Please bump to >=media-libs/jasper-2.0.13!

Comment 3 Andrey Ovcharov 2017-07-14 12:18:14 UTC

*** Bug 624986 has been marked as a duplicate of this bug. ***

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2018-02-17 23:38:52 UTC

First fixed version in Gentoo: media-libs/jasper-2.0.14

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2018-03-23 21:46:11 UTC

@arches, please stabilize.

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2018-03-23 23:40:49 UTC

ia64 stable

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2018-03-24 11:15:44 UTC

ppc/ppc64 stable

Comment 8 Mikle Kolyada (RETIRED) archtester

2018-03-24 22:11:32 UTC

amd64 stable

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2018-03-25 22:44:40 UTC

x86 stable

Comment 10 Tobias Klausmann (RETIRED) gentoo-dev

2018-03-31 10:12:48 UTC

Stable on alpha.

Comment 11 Markus Meier gentoo-dev

2018-04-08 10:47:12 UTC

arm stable

Comment 12 Matt Turner gentoo-dev

2018-04-22 20:19:38 UTC

hppa stable

Comment 13 Aaron Bauman (RETIRED) gentoo-dev

2018-04-22 21:16:15 UTC

sparc was missed... giving them a chance.

Comment 14 Larry the Git Cow gentoo-dev

2018-05-08 18:43:11 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=12a61328fec7deae01bea9186f885ff2b432bd51

commit 12a61328fec7deae01bea9186f885ff2b432bd51
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-05-08 18:10:04 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-08 18:42:38 +0000

    media-libs/jasper: stable 2.0.14 for sparc
    
    Bug: https://bugs.gentoo.org/614030
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 media-libs/jasper/jasper-2.0.14.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 15 Aaron Bauman (RETIRED) gentoo-dev

2018-05-15 14:53:02 UTC

(In reply to Sergei Trofimovich from comment #7)
> ppc/ppc64 stable

keywords updated per this comment.

Comment 16 Larry the Git Cow gentoo-dev

2018-05-15 14:57:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8733e400fb540e3161ec866ee4092ccc5a8fb713

commit 8733e400fb540e3161ec866ee4092ccc5a8fb713
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-05-15 14:56:32 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-05-15 14:57:15 +0000

    media-libs/jasper: drop vulnerable
    
    Bug: https://bugs.gentoo.org/614030
    Package-Manager: Portage-2.3.36, Repoman-2.3.9

 media-libs/jasper/Manifest             |  1 -
 media-libs/jasper/jasper-2.0.12.ebuild | 63 ----------------------------------
 2 files changed, 64 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f007101af64f8f0a1143c2401ba51edb3852ddf

commit 4f007101af64f8f0a1143c2401ba51edb3852ddf
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-05-15 14:55:10 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-05-15 14:57:11 +0000

    media-libs/jasper: stable ppc/ppc64 per slyfox's comment on bug
    
    Bug: https://bugs.gentoo.org/614030
    Package-Manager: Portage-2.3.36, Repoman-2.3.9

 media-libs/jasper/jasper-2.0.14.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 17 Aaron Bauman (RETIRED) gentoo-dev

2018-05-15 14:58:18 UTC

GLSA Vote: No