Debian Bug report logs -
#816626
jasper: CVE-2016-2116: memory leak in the jas_iccprof_createfrombuf function
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 3 Mar 2016 15:12:18 UTC
Severity: important
Tags: jessie, security, sid, stretch, upstream, wheezy
Found in version jasper/1.900.1-7
Fixed in versions jasper/1.900.1-debian1-2.4+deb8u1, jasper/1.900.1-13+deb7u4
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#816626; Package src:jasper.
(Thu, 03 Mar 2016 15:12:22 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Stigge <stigge@antcom.de>.
(Thu, 03 Mar 2016 15:12:23 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jasper
Version: 1.900.1-7
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for jasper.
CVE-2016-2116[0]:
memory leak in the jas_iccprof_createfrombuf function
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-2116
Regards,
Salvatore
Added tag(s) wheezy, sid, jessie, and stretch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 06 Mar 2016 16:06:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 08 Mar 2016 21:48:42 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 08 Mar 2016 21:48:42 GMT) (full text, mbox, link).
Message #12 received at 816626-close@bugs.debian.org (full text, mbox, reply):
Source: jasper
Source-Version: 1.900.1-debian1-2.4+deb8u1
We believe that the bug you reported is fixed in the latest version of
jasper, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 816626@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated jasper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 Mar 2016 14:49:44 +0100
Source: jasper
Binary: libjasper1 libjasper-dev libjasper-runtime
Architecture: source
Version: 1.900.1-debian1-2.4+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 812978 816625 816626
Description:
libjasper-dev - Development files for the JasPer JPEG-2000 library
libjasper-runtime - Programs for manipulating JPEG-2000 files
libjasper1 - JasPer JPEG-2000 runtime library
Changes:
jasper (1.900.1-debian1-2.4+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy()
(Closes: #816625)
* CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip()
(Closes: #812978)
* CVE-2016-2116: Prevent jas_stream_t memory leak in
jas_iccprof_createfrombuf() (Closes: #816626)
Checksums-Sha1:
3e5ce30f9c10320f62b00fc6fe723d81afb883a8 1955 jasper_1.900.1-debian1-2.4+deb8u1.dsc
3b49b1c9ea30c969f608c52e62bf2b743a9769e1 1140771 jasper_1.900.1-debian1.orig.tar.gz
c600341ea2cb5be9ee8665bfaf7b3a9df2555f7f 30260 jasper_1.900.1-debian1-2.4+deb8u1.debian.tar.xz
Checksums-Sha256:
52e8e9c7164dad5d3e4f68ae14322b4602255eb7a02af347f97a9592d449c685 1955 jasper_1.900.1-debian1-2.4+deb8u1.dsc
7276e8407080d8263b39aeac8305032b0534c7df25bf02718b3944711e3c81d7 1140771 jasper_1.900.1-debian1.orig.tar.gz
995382b8f98a4226c0555a99a7fef938ef5ab04f646c400485cac07ddc53beb6 30260 jasper_1.900.1-debian1-2.4+deb8u1.debian.tar.xz
Files:
26447f2a9ef85e3892fade8d66f84ff8 1955 graphics optional jasper_1.900.1-debian1-2.4+deb8u1.dsc
d6aa5f1638d703cb03beb996b713ec6c 1140771 graphics optional jasper_1.900.1-debian1.orig.tar.gz
ca96ce1cb3b096cbf4dd69c101127b21 30260 graphics optional jasper_1.900.1-debian1-2.4+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJW3DkvAAoJEAVMuPMTQ89Eu1MP/Anx2AT9qP+ZWI37kQd4TwpB
urxKjSRMBAJ3ND9JrVPOM2kJ0yvTE91/nlhdK4a+0h8QCh4v398/COqToiYibH+8
W9CeeHXuEU7kDAivKJlt8S2Xl35ku4+nTFCCXtAeQvmcNxoHRpJLF/VgAmdEPpgg
jn0B103gbi/OB9oS9nZNMupY0Uq1vsHL6QBf2fTwYXdUM3r6dnTyU8TUWCx8lrDC
NIzeY8qv6t0g5zfcJhmgDwUunI1oFTlfBqRNKNkcr+weNCkhW1B8Kr9o0F/qDL/r
wFCxasaEEKZIau7KbxNVmm+Ppj8Y0jyi7OgnbDD+l/5g1TxDKR87P+GVOvnzMMEn
jBqFA9dNeXxbPdVxlYvqVXh9Aw8lkLIxlEtiFamcsRiKdNLkxrvRHWbjawSp6hqM
mI3X9rDCsy/dPyUfMDMp2pq6SevAqBzkl2hRqftyJfLG+VFQBNz4yE9g++yczIp/
jP207ME9c94HT/W7NS3Uu1tza2PjOf7PdbmF2k8rq17h4tip5qWu6w2VcRk9G6g1
y/VQ8pi6xkI3pSLO7StGtZK3YJLfdP6Og3QNJiHIlEkc6uHcyPeE6aZNKnc2J7bX
qlNFt0QDj3GY5ulCw6KvwCf2mQfYGqn1TOl4PcKAHqIEygDojZRWIC8ZkEPAsgz7
68n8+2ps2fqZOeB6rM2P
=+NQV
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 08 Mar 2016 21:57:34 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 08 Mar 2016 21:57:34 GMT) (full text, mbox, link).
Message #17 received at 816626-close@bugs.debian.org (full text, mbox, reply):
Source: jasper
Source-Version: 1.900.1-13+deb7u4
We believe that the bug you reported is fixed in the latest version of
jasper, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 816626@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated jasper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 Mar 2016 15:09:28 +0100
Source: jasper
Binary: libjasper1 libjasper-dev libjasper-runtime
Architecture: source amd64
Version: 1.900.1-13+deb7u4
Distribution: wheezy-security
Urgency: high
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libjasper-dev - Development files for the JasPer JPEG-2000 library
libjasper-runtime - Programs for manipulating JPEG-2000 files
libjasper1 - JasPer JPEG-2000 runtime library
Closes: 812978 816625 816626
Changes:
jasper (1.900.1-13+deb7u4) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy()
(Closes: #816625)
* CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip()
(Closes: #812978)
* CVE-2016-2116: Prevent jas_stream_t memory leak in
jas_iccprof_createfrombuf() (Closes: #816626)
Checksums-Sha1:
2a5b39408c15feffff975d5b349ce9a419cd287c 1878 jasper_1.900.1-13+deb7u4.dsc
485ed72f72da1b2092fb4f4217580f9a34630fc3 34913 jasper_1.900.1-13+deb7u4.debian.tar.gz
b804f5eeb5e6cb00f2436d133145238007a12eaf 160230 libjasper1_1.900.1-13+deb7u4_amd64.deb
22e63a35ee293bf2c37ec271e31ec6d603b7c308 569330 libjasper-dev_1.900.1-13+deb7u4_amd64.deb
a6501e43744c1ea26fcac1d73a6a50bf7bca263a 27404 libjasper-runtime_1.900.1-13+deb7u4_amd64.deb
Checksums-Sha256:
45322a04fbbdfdba0f58747417fd92bf07e7ffcf612695c095c02c2b87a21cbe 1878 jasper_1.900.1-13+deb7u4.dsc
61049f1047774db9abdc399dcc8c8eb153bba15dddc81c1b95e7e973c6765c6d 34913 jasper_1.900.1-13+deb7u4.debian.tar.gz
8c92d4be18de78060fa888d506c290dd5162397979d858f318508c10225e6660 160230 libjasper1_1.900.1-13+deb7u4_amd64.deb
32a83763556a28ca0f2dbaff434cd0710ac68952a316271213e028cdc19c4eb9 569330 libjasper-dev_1.900.1-13+deb7u4_amd64.deb
98118f1e51119f3cf8cdc892b021c1809e830ea56873eff16a59ed6868489490 27404 libjasper-runtime_1.900.1-13+deb7u4_amd64.deb
Files:
db90675529886eb7523042aa6733604f 1878 graphics optional jasper_1.900.1-13+deb7u4.dsc
dcde5273ae8c4104535af22256f1fd85 34913 graphics optional jasper_1.900.1-13+deb7u4.debian.tar.gz
10f4a6e7ded8f06075694d588621a69a 160230 libs optional libjasper1_1.900.1-13+deb7u4_amd64.deb
8aeb17922bcf60467da1f707dbc866b0 569330 libdevel optional libjasper-dev_1.900.1-13+deb7u4_amd64.deb
afa8d77c698a502158a2d8c4fa1b3da7 27404 graphics optional libjasper-runtime_1.900.1-13+deb7u4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJW3DrJAAoJEAVMuPMTQ89Ej6kP/iFcRx8a0D5E/u7WKCYx7bYM
BrTuk51VKzMkMkd4P9mT2drmSMpBBQSslXIiQF+qfexarvpljdabSaBlzwo6dIeS
eT5q6yQxyYQRCjIkLz/au0Q9fkWFhU4WjDGD81j2BpY4DNHQmTcD1FUlORUmBFqC
08VMWDMMX5FQNqdKDeEuZS6QmjgiFgO1hw6oQ7OJWFqtctSbtuq3Wx+YRq1FibOz
t6r/0DOMQZbgLlhWmlBKzBPmfuId3m02tOOqXOFGsF23jM1PE7aC12FSMOTVMboL
iGTWMSf3HAjX69c52wOZx1fMNILODjEl4US6QiRueDGOB6uw1okkCXVtcXazWIF3
ofkD1W7Ph0sm9ReeO9ooHphUtSnURSbZyhavCXGYhehW3PGnDKdbAw5XkcYHZAlR
+Q5qPtXwKcDe6pmIT67GjyIAmHR3MTIc3ORAVOoVB7kKsug87E6SFLd2G+TknMn3
wJXk18VhwcWet25EJCmaUFmp36KowDxEt2AJtr4/ilzORji4IcBcoBVTVCOKMpU6
xSrrZX9the6bBwvoqwOAOwfBCed7gGDqMUasMawklINpDwMXQjLJFEftFAiQ7bzR
oMMWXLy2DvZRXl0DFLjz/LkDPxgL7AEJNOegL+tVQNmkU6WLLMHsjBzjwHc0GhvP
C3vJ6q7Z4KAbZeFPHdb+
=jfRU
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 01 May 2016 07:36:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:05:45 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon