Debian Bug report logs -
#772036
jasper: CVE-2014-9029
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 4 Dec 2014 14:45:09 UTC
Severity: grave
Tags: patch, security, upstream
Found in version jasper/1.900.1-7
Fixed in versions jasper/1.900.1-13+deb7u1, jasper/1.900.1-debian1-2.2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#772036; Package src:jasper.
(Thu, 04 Dec 2014 14:45:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Stigge <stigge@antcom.de>.
(Thu, 04 Dec 2014 14:45:14 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jasper
Version: 1.900.1-7
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for jasper.
CVE-2014-9029[0]:
heap-based buffer overflows
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-9029
[1] http://www.ocert.org/advisories/ocert-2014-009.html
Regards,
Salvatore
Marked as fixed in versions jasper/1.900.1-13+deb7u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 04 Dec 2014 15:21:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#772036; Package src:jasper.
(Fri, 05 Dec 2014 08:27:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>.
(Fri, 05 Dec 2014 08:27:11 GMT) (full text, mbox, link).
Message #12 received at 772036@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 772036 + patch
Control: tags 772036 + pending
Hi Roland,
I've prepared an NMU for jasper (versioned as 1.900.1-debian1-2.2) and
uploaded it to DELAYED/2, with the same patch used for the DSA. Are
you working on an update yourself? Let me know if so, so I will remove
my upload from the delayed queue. If you are fine with my upload, I
would gladly move it forward directly to the archive to get the fix
sooner for jessie.
Regards,
Salvatore
[jasper-1.900.1-debian1-2.2-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 772036-submit@bugs.debian.org.
(Fri, 05 Dec 2014 08:27:11 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 772036-submit@bugs.debian.org.
(Fri, 05 Dec 2014 08:27:12 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#772036; Package src:jasper.
(Fri, 05 Dec 2014 10:57:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Roland Stigge <stigge@antcom.de>:
Extra info received and forwarded to list.
(Fri, 05 Dec 2014 10:57:10 GMT) (full text, mbox, link).
Message #21 received at 772036@bugs.debian.org (full text, mbox, reply):
Hi Salvatore!
Thanks for working on this!
Roland
On 12/05/2014 09:26 AM, Salvatore Bonaccorso wrote:
> Control: tags 772036 + patch
> Control: tags 772036 + pending
>
> Hi Roland,
>
> I've prepared an NMU for jasper (versioned as 1.900.1-debian1-2.2) and
> uploaded it to DELAYED/2, with the same patch used for the DSA. Are
> you working on an update yourself? Let me know if so, so I will remove
> my upload from the delayed queue. If you are fine with my upload, I
> would gladly move it forward directly to the archive to get the fix
> sooner for jessie.
>
> Regards,
> Salvatore
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#772036; Package src:jasper.
(Fri, 05 Dec 2014 12:03:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>.
(Fri, 05 Dec 2014 12:03:09 GMT) (full text, mbox, link).
Message #26 received at 772036@bugs.debian.org (full text, mbox, reply):
Hey Roland!
On Fri, Dec 05, 2014 at 11:43:20AM +0100, Roland Stigge wrote:
> Hi Salvatore!
>
> Thanks for working on this!
Welcome!
Thanks for quick feedback. I interpret the above that it's just fine,
so I will move the package from delayed prepferably directly to the
archive. (I will also take care of asking for an unblock request for
jessie).
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 05 Dec 2014 12:21:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 05 Dec 2014 12:21:05 GMT) (full text, mbox, link).
Message #31 received at 772036-close@bugs.debian.org (full text, mbox, reply):
Source: jasper
Source-Version: 1.900.1-debian1-2.2
We believe that the bug you reported is fixed in the latest version of
jasper, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 772036@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated jasper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 Dec 2014 08:39:16 +0100
Source: jasper
Binary: libjasper1 libjasper-dev libjasper-runtime
Architecture: source amd64
Version: 1.900.1-debian1-2.2
Distribution: unstable
Urgency: high
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libjasper-dev - Development files for the JasPer JPEG-2000 library
libjasper-runtime - Programs for manipulating JPEG-2000 files
libjasper1 - JasPer JPEG-2000 runtime library
Closes: 772036
Changes:
jasper (1.900.1-debian1-2.2) unstable; urgency=high
.
* Non-maintainer upload.
* Add 04-CVE-2014-9029.patch patch.
CVE-2014-9029: incorrect component number check in COC, RGN and QCC
marker segment decoders. (Closes: #772036)
Checksums-Sha1:
1876d09685e167af9818c33fb207066faabadbbf 1927 jasper_1.900.1-debian1-2.2.dsc
5cb2ffd9d26d5b4ee2e19f0322e73f08f609bab4 28040 jasper_1.900.1-debian1-2.2.debian.tar.xz
Checksums-Sha256:
1fccedcef4b6e1a682250bf1c6ed4c28bf326f429def886924c038e856899e7a 1927 jasper_1.900.1-debian1-2.2.dsc
7f0f6b9e335858fa4732bee2d3c048d83b43144affeda2f91c3c798e90b5d9a1 28040 jasper_1.900.1-debian1-2.2.debian.tar.xz
Files:
b587fb7a049802c9836e92aeba44db31 1927 graphics optional jasper_1.900.1-debian1-2.2.dsc
9f727f30336c5d343d5d339d25d2e4be 28040 graphics optional jasper_1.900.1-debian1-2.2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUgWjsAAoJEAVMuPMTQ89Emr0P/jAE+Ep7l5KPfwnzPlDrr1dT
4o7z7QYyx3zT8rW6VqXPDd7VgYRHeAVCQTBL1qGvijdVidThP0Td/45HONWg6aCO
jlMpXPT/qGctCmFqKaHqsLB/KsFaBxpMG6h4zdtYnNl3O5k6fDw/un//ICWmhT1s
cT6ZTDDX5dHmGKxDy4kt40IwG4Fc3Zr+pmWfY/ChPC3gHhz+M65T107rPHHfhckP
aFd1lE8pF3rUfQjyDaCLCLyiXYnKBXBTN9zZfKxSNm4KV/m4xkWVWs6gFocNI/NQ
5PRrh+U0p8UedDJjlK4K053e/70iUrJ/eaDQAjOG3/73rLxpzA9GVOI7EL7CBx1d
/rLCy38LcPQJnYxXbHmgYlDdrKdMSPasYtPls0h+cKE2KVDYXEiQgoRLAYvU278q
gWo0hXypbd/tHfiMSmkERgPbx2cAnEgljm8Z0jlSYY6pdhbrLO87+ZYFmDCbMCVZ
BFhgSNx5HbdTxJpq4evm2nySJfVmedksoQ+ifJBJdV8F+mIjtfyfcYufgbzPPdGF
aliBwB+yq/F8dYBh4ZWBXQ9sjEGOiUQka+D+WfKrqhi7fTnpoRMmnZ7b5v/h+vu7
xBkIfUPzGUMBSqnnKIJx984tf3ETSNvZ/e4TC4PTNFVjyOen2foNvdP1qmvun3Y7
xYw8cErVIaESH0cA2pSl
=TjQJ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 22 Jan 2015 07:26:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:29:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon