Your message dated Tue, 27 Jan 2015 18:18:44 +0000
with message-id <[email protected]>
and subject line Bug#775970: fixed in jasper 1.900.1-debian1-2.4
has caused the Debian Bug report #775970,
regarding jasper: CVE-2014-8157 CVE-2014-8158
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
775970: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775970
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libjasper1
Version: 1.900.1-13+deb7u2
Severity: grave
Tags: security upstream
Justification: user security hole
From: http://www.ocert.org/advisories/ocert-2015-001.html
The library is affected by an off-by-one error in a buffer boundary
check in jpc_dec_process_sot(), leading to a heap based buffer
overflow, as well as multiple unrestricted stack memory use issues in
jpc_qmfb.c, leading to stack overflow.
A specially crafted jp2 file can be used to trigger the
vulnerabilities.
-- System Information:
Debian Release: 7.8
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libjasper1 depends on:
ii libc6 2.13-38+deb7u6
ii libjpeg8 8d-1+deb7u1
ii multiarch-support 2.13-38+deb7u6
libjasper1 recommends no packages.
Versions of packages libjasper1 suggests:
pn libjasper-runtime <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: jasper
Source-Version: 1.900.1-debian1-2.4
We believe that the bug you reported is fixed in the latest version of
jasper, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated jasper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 22 Jan 2015 17:09:24 +0100
Source: jasper
Binary: libjasper1 libjasper-dev libjasper-runtime
Architecture: source amd64
Version: 1.900.1-debian1-2.4
Distribution: unstable
Urgency: high
Maintainer: Roland Stigge <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
libjasper-dev - Development files for the JasPer JPEG-2000 library
libjasper-runtime - Programs for manipulating JPEG-2000 files
libjasper1 - JasPer JPEG-2000 runtime library
Closes: 775970
Changes:
jasper (1.900.1-debian1-2.4) unstable; urgency=high
.
* Non-maintainer upload.
* Add 07-CVE-2014-8157.patch patch.
CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot().
(Closes: #775970)
* Add 08-CVE-2014-8158.patch patch.
CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c (Closes:
#775970)
Checksums-Sha1:
671278302ddba443c2bf1a4239d7cdedb235d78b 1927 jasper_1.900.1-debian1-2.4.dsc
8edf28dab43a88903de4ca70c2753a6e45273a79 29504
jasper_1.900.1-debian1-2.4.debian.tar.xz
Checksums-Sha256:
8d5f2e8de142c57220df75e965ea07628a2c70e20d87c3d25c82a10bafa9326e 1927
jasper_1.900.1-debian1-2.4.dsc
64781a9307c5aee8c69c7ab78b699f67310172ec4a42202f50555c2a514f3249 29504
jasper_1.900.1-debian1-2.4.debian.tar.xz
Files:
75490a9daf5859a8084e204dac1777e7 1927 graphics optional
jasper_1.900.1-debian1-2.4.dsc
5005a6124ed2d705e1beb7ea0e385c9e 29504 graphics optional
jasper_1.900.1-debian1-2.4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUwTYeAAoJEAVMuPMTQ89ENagP/214vYQw1pR+3aIHpuemWss+
zDAJwIUDowHg7wMHpbA99YBjjbu2B7q7TGIJMP9+9ZIfA/ma+vHGPXaEbl8wUi16
BURBhxkYTZOId/B4pfpDcfIuFs2VluWMBmzQ9Eyuxxqs03rNAil1eh7Xzw9exZPU
EEFZvM0slBkjVYGP9vh0hOO7U3xM5nLUp4LrjbZ5YoTj0CUW8najIRRLmWC+jf30
HvqNQqV6AvqXXEwPtkO3GzJevZ3bgrmiASf1930UPeobLgZlSsaWACbZrbMoJrim
jJtzZ5Km8u/LcOseMYVMmLMA6526uizx1IpJ82LnYOLllLLeB+LxwGPPfBwtmDfn
ECOUBJfMnt9L+SE+DG5rlt7JACl3Gicc5yPbzXN0SqUdXwNjGay6BsZl28cq3Yxt
sT3asePa/f+q/wkJ5eYuE8mnsAgGMcZ9DTA705dIESDAqZ2NGhxYj4TMDes/pb6H
6AWUcVofVTLm60N07KDvphN/fqPpC2zSYyv8kOVO5YhjBYjTGBZJ056yotcN7y7q
m3ijV2ApfkPiGd67+tYVbERSD17gYYglSeHApMkUuwlQrcdrdU31UFRVxpP/2nCq
vujyiXeLkck5CxaArc2K0l5Tdf4JHe9zsZpyZIxDqNQ27dxV+PML1OPLvUHIg021
Pu3gJZE+w1W2EIyNB1+t
=irp9
-----END PGP SIGNATURE-----
--- End Message ---
