Your message dated Sun, 25 Jan 2015 15:17:07 +0000
with message-id <[email protected]>
and subject line Bug#775970: fixed in jasper 1.900.1-13+deb7u3
has caused the Debian Bug report #775970,
regarding jasper: CVE-2014-8157 CVE-2014-8158
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
775970: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775970
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libjasper1
Version: 1.900.1-13+deb7u2
Severity: grave
Tags: security upstream
Justification: user security hole
From: http://www.ocert.org/advisories/ocert-2015-001.html
The library is affected by an off-by-one error in a buffer boundary
check in jpc_dec_process_sot(), leading to a heap based buffer
overflow, as well as multiple unrestricted stack memory use issues in
jpc_qmfb.c, leading to stack overflow.
A specially crafted jp2 file can be used to trigger the
vulnerabilities.
-- System Information:
Debian Release: 7.8
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libjasper1 depends on:
ii libc6 2.13-38+deb7u6
ii libjpeg8 8d-1+deb7u1
ii multiarch-support 2.13-38+deb7u6
libjasper1 recommends no packages.
Versions of packages libjasper1 suggests:
pn libjasper-runtime <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: jasper
Source-Version: 1.900.1-13+deb7u3
We believe that the bug you reported is fixed in the latest version of
jasper, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated jasper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 22 Jan 2015 16:39:58 +0100
Source: jasper
Binary: libjasper1 libjasper-dev libjasper-runtime
Architecture: source amd64
Version: 1.900.1-13+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Roland Stigge <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
libjasper-dev - Development files for the JasPer JPEG-2000 library
libjasper-runtime - Programs for manipulating JPEG-2000 files
libjasper1 - JasPer JPEG-2000 runtime library
Closes: 775970
Changes:
jasper (1.900.1-13+deb7u3) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add 07-CVE-2014-8157.patch patch.
CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot().
(Closes: #775970)
* Add 08-CVE-2014-8158.patch patch.
CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c (Closes:
#775970)
Checksums-Sha1:
d1690d295c1c1dfe3dba7bb88ef5cc2483ba0aa9 1878 jasper_1.900.1-13+deb7u3.dsc
c2dd86e61c07a04609773fb840ff0796c436fe30 33864
jasper_1.900.1-13+deb7u3.debian.tar.gz
a53462f64291a92821885b624e92b302115785b1 160120
libjasper1_1.900.1-13+deb7u3_amd64.deb
ec0e6e78c999e26726621363b3993ab595fd1bf6 569224
libjasper-dev_1.900.1-13+deb7u3_amd64.deb
f0c2c136fcf7c14a9e33ee74ceb2f6d38beb9678 27274
libjasper-runtime_1.900.1-13+deb7u3_amd64.deb
Checksums-Sha256:
6be5b2a5d45bf4de081e218fb01f12cf20e8436a602a8b289f273c1683038148 1878
jasper_1.900.1-13+deb7u3.dsc
4440e323793fe8fb9de352a4460b28a7a58b78cd269c8e778ea5cc026e5b6b9e 33864
jasper_1.900.1-13+deb7u3.debian.tar.gz
656500ae418c6a6a00c70916571c3455dee5745cc4f166862d40eee44e273a13 160120
libjasper1_1.900.1-13+deb7u3_amd64.deb
2cfe9bf82564958f5d20acdba9eb87c9ff9e9cc104baefca1a5d576079125c7c 569224
libjasper-dev_1.900.1-13+deb7u3_amd64.deb
45ffc604726b7fe5496e4cf87658cb7c8d525002d6b679287e51703709674c74 27274
libjasper-runtime_1.900.1-13+deb7u3_amd64.deb
Files:
925fc6931d68b53e2ec1f4afcd35e04f 1878 graphics optional
jasper_1.900.1-13+deb7u3.dsc
9765c9bd45d2d6f0ac5d73c4a1c42c79 33864 graphics optional
jasper_1.900.1-13+deb7u3.debian.tar.gz
a210810924e691c6ca2452629bc617b5 160120 libs optional
libjasper1_1.900.1-13+deb7u3_amd64.deb
5e99aebc6c62cde98edcc7e80837da6c 569224 libdevel optional
libjasper-dev_1.900.1-13+deb7u3_amd64.deb
df449eb8ce10177b0a2b242b609f3b38 27274 graphics optional
libjasper-runtime_1.900.1-13+deb7u3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUwRrCAAoJEAVMuPMTQ89Ei2MQAIub9nsV6DaFfWmfTdFAAFti
8zF6vWmRthNLJO6SBxhGEG/HrNq7R4Xhg8+1hWFHDNnsWwqkXja44g24vMJVxG/5
3PYMv+npp3aoxZhQG8Of1B7rqEgh5jWd780ikKjGEJMet4QmbgYOCrtx8B2LYXGU
W6xUEEBuhIRmNA/psNDE1T3PPBaqThchnbVWyLoeeULCc1xqza+PoGPKKcvToomj
n3vjbq3L9HUqmMZvA/wba33keyBlkt19jnF/12uGwKJcf38RWyrcl46enBP2hfZ8
5+ZmZN1JM8R5QFnjrJ85rs2GFbKLtl12k27bksKPPZSucjNBmCDccANMsgQPV2VX
nIkQGxPOL9AIhCfL4L60YtI28IAjPShPyo+P1eQs6VcfiemalSL2DV+4Aeq99IT9
54CWo3C8oW+Cj5wPUOSqyYtkaEbRFZpZvYt9ib1tpVSGJbTD+rDax1dSjKfrMDSY
aKoeXOl4oqM0YN9jxfEOdD/NJCS/sS9RX8w20TQ/CT9uqIJoJYKUJf2KnJE73vq2
rBIGtH/DKgsJaQpUStT9UKVG8It1DzpkaEMQhvGiedOAW+0AOWqWo3reamtw5zvu
QHC34r97Xt1E6TAQaEOK0EZx6fZJnexXFVdmCisU5B6JvaeFV0vfZzP8ABFBvFDz
nhxxpz7kDyZnJC8Dh8l4
=U4+p
-----END PGP SIGNATURE-----
--- End Message ---
