Debian Bug report logs -
#652649
jasper: Fix for CVE-2011-4516 and CVE-2011-4517
Reported by: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Date: Mon, 19 Dec 2011 15:57:02 UTC
Severity: serious
Tags: patch
Found in version 1.900.1-12
Fixed in version jasper/1.900.1-13
Done: Roland Stigge <stigge@antcom.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>
:
Bug#652649
; Package jasper
.
(Mon, 19 Dec 2011 15:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Marc Deslauriers <marc.deslauriers@ubuntu.com>
:
New Bug report received and forwarded. Copy sent to Roland Stigge <stigge@antcom.de>
.
(Mon, 19 Dec 2011 15:57:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: jasper
Version: 1.900.1-12
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch
*** /tmp/tmpCx1dv3
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: denial of service and possible code execution via
heap-based buffer overflows.
- debian/patches/03-CVE-2011-451x.patch: validate compparms->numrlvls
and allocate proper size in src/libjasper/jpc/jpc_cs.c.
- CVE-2011-4516
- CVE-2011-4517
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers oneiric-updates
APT policy: (500, 'oneiric-updates'), (500, 'oneiric-security'), (500, 'oneiric-proposed'), (500, 'oneiric')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-15-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[tmpPAM8SW (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Roland Stigge <stigge@antcom.de>
to control@bugs.debian.org
.
(Mon, 19 Dec 2011 16:33:07 GMT) (full text, mbox, link).
Severity set to 'serious' from 'normal'
Request was from Michael Gilbert <michael.s.gilbert@gmail.com>
to control@bugs.debian.org
.
(Sat, 31 Dec 2011 21:42:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>
:
Bug#652649
; Package jasper
.
(Wed, 04 Jan 2012 01:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>
.
(Wed, 04 Jan 2012 01:18:03 GMT) (full text, mbox, link).
Message #14 received at 652649@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Attached is a patch for a planned NMU for this bug. It is essentially
the same as the original patch Mark sent along.
I see you've marked this bug as pending, so I'll wait a couple days
before pushing the NMU if you'd like to push your particular changes
instead.
Best wishes,
Mike
[jasper-nmu.patch (text/x-patch, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>
:
Bug#652649
; Package jasper
.
(Wed, 04 Jan 2012 18:57:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Roland Stigge <stigge@debian.org>
:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>
.
(Wed, 04 Jan 2012 18:57:08 GMT) (full text, mbox, link).
Message #19 received at 652649@bugs.debian.org (full text, mbox, reply):
Hi,
On 04/01/12 02:15, Michael Gilbert wrote:
> Attached is a patch for a planned NMU for this bug. It is essentially
> the same as the original patch Mark sent along.
>
> I see you've marked this bug as pending, so I'll wait a couple days
> before pushing the NMU if you'd like to push your particular changes
> instead.
Thanks for your note! I uploaded the patch to both stable and old-stable
but not to unstable yet.
Just done.
Thanks again!
Roland
Reply sent
to Roland Stigge <stigge@antcom.de>
:
You have taken responsibility.
(Wed, 04 Jan 2012 19:03:06 GMT) (full text, mbox, link).
Notification sent
to Marc Deslauriers <marc.deslauriers@ubuntu.com>
:
Bug acknowledged by developer.
(Wed, 04 Jan 2012 19:03:06 GMT) (full text, mbox, link).
Message #24 received at 652649-close@bugs.debian.org (full text, mbox, reply):
Source: jasper
Source-Version: 1.900.1-13
We believe that the bug you reported is fixed in the latest version of
jasper, which is due to be installed in the Debian FTP archive:
jasper_1.900.1-13.debian.tar.gz
to main/j/jasper/jasper_1.900.1-13.debian.tar.gz
jasper_1.900.1-13.dsc
to main/j/jasper/jasper_1.900.1-13.dsc
libjasper-dev_1.900.1-13_i386.deb
to main/j/jasper/libjasper-dev_1.900.1-13_i386.deb
libjasper-runtime_1.900.1-13_i386.deb
to main/j/jasper/libjasper-runtime_1.900.1-13_i386.deb
libjasper1_1.900.1-13_i386.deb
to main/j/jasper/libjasper1_1.900.1-13_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 652649@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Stigge <stigge@antcom.de> (supplier of updated jasper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 04 Jan 2012 19:14:40 +0100
Source: jasper
Binary: libjasper1 libjasper-dev libjasper-runtime
Architecture: source i386
Version: 1.900.1-13
Distribution: unstable
Urgency: high
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Roland Stigge <stigge@antcom.de>
Description:
libjasper-dev - Development files for the JasPer JPEG-2000 library
libjasper-runtime - Programs for manipulating JPEG-2000 files
libjasper1 - JasPer JPEG-2000 runtime library
Closes: 652649
Changes:
jasper (1.900.1-13) unstable; urgency=high
.
* Fix CVE-2011-4516 and CVE-2011-4517: Two buffer overflow issues possibly
exploitable via specially crafted input files (Closes: #652649)
Thanks to Red Hat and Michael Gilbert
Checksums-Sha1:
56514845483d7dadb937b0c28a10895384ab7f7d 1219 jasper_1.900.1-13.dsc
a659962039b75acbd726eb2aef83cf47a9c3985a 31455 jasper_1.900.1-13.debian.tar.gz
4c1c9aadae629e1015b5071ee82486e476b6b162 158982 libjasper1_1.900.1-13_i386.deb
6eccd2ddeb7b65cea95a64c96e04d1d9c817b7a2 564778 libjasper-dev_1.900.1-13_i386.deb
0be5ce62bfc9f76a3ca2669cdeac7481af298c3d 25526 libjasper-runtime_1.900.1-13_i386.deb
Checksums-Sha256:
27b3b204a3169e270c142000f5d0653639dda2ceeed0adc8398bd3dfaaf7cdfc 1219 jasper_1.900.1-13.dsc
2d6c89219e232b6589e1239adf27f812abd1adb30d1306b9460e83d2c2db6652 31455 jasper_1.900.1-13.debian.tar.gz
7c1b70e67ad5ed6f0236e944c8c0d4ef6d161ca95843cd6e7eb3189fe5cc5c6e 158982 libjasper1_1.900.1-13_i386.deb
2244ad057654a9f0e57d7c2b160422f0bd5d24b815ef4c6605a057eb8a3eda9f 564778 libjasper-dev_1.900.1-13_i386.deb
f37a23fc977789e8ea6dc4469b57eb0e52f71dc6439a7737cc31e8f22900e995 25526 libjasper-runtime_1.900.1-13_i386.deb
Files:
c8200db57e03c92c8ef45aeea66e4d1e 1219 graphics optional jasper_1.900.1-13.dsc
d5da45f67a8c51bbfb10c472912d2b65 31455 graphics optional jasper_1.900.1-13.debian.tar.gz
052771286ef82b5967bfab91dcc8f65e 158982 libs optional libjasper1_1.900.1-13_i386.deb
2ca8b6b638a73b5434294cd75d4d0e8e 564778 libdevel optional libjasper-dev_1.900.1-13_i386.deb
8f3f4fa07d28389387641b8e5f3d832a 25526 graphics optional libjasper-runtime_1.900.1-13_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFPBJ/OcaH/YBv43g8RAmByAJsGQvBV9jBC9KF5iAAUNdsoNkpSTgCgxVal
+6WqBjVRYeLjsvaqfwIr0vw=
=lorM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 04 Feb 2012 07:37:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:10:01 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.