Opened 4 years ago
Closed 4 years ago
#14599 closed enhancement (fixed)
Jasper-2.0.24, includes CVE fixes
| Reported by: | Owned by: | Douglas R. Reno | |
|---|---|---|---|
| Priority: | high | Milestone: | 10.1 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
I just noticed fedora updated to this. http://www.ece.uvic.ca/~frodo/jasper/
Quoting their update report via lwn.net:
Update Information:
New upstream version 2.0.24 with all reported CVE fixes available.
ChangeLog:
- Mon Jan 25 2021 Josef Ridky <jridky@…> - 2.0.24-1
- New upstream release 2.0.24 (#1905690)
References:
[ 1 ] Bug #1434464 - CVE-2016-9396 CVE-2016-9397 CVE-2016-9398 CVE-2016-9399 CVE-2017-1000050
CVE-2017-13745 CVE-2017-13746 CVE-2017-13747 CVE-2017-13748 CVE-2017-13749 CVE-2017-13750 CVE-2017-13751 CVE-2017-13752 CVE-2017-14132 ... jasper: various flaws [fedora-all]
[ 2 ] Bug #1905202 - CVE-2020-27828 jasper: heap-based buffer overflow in cp_create() in
jpc_enc.c [fedora-all]
[ 3 ] Bug #1905690 - jasper-2.0.24 is available
Not all of those are currently listed at NVD, and I suspect 2017-1000050 probably has two zeroes too many, but a random inspection of 2016-9396, 2017-13745, 2017-14132 and 2020-27828 shows those are all rated as High.
Change History (6)
comment:1 by , 4 years ago
comment:2 by , 4 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
I'll get Jasper and Glib in at my next commit.
comment:3 by , 4 years ago
Add JAS_VERSION_MAJOR, JAS_VERSION_MINOR, JAS_VERSION_PATCH for easier access to the JasPer version.
Fixes stack overflow bug on Windows, where variable-length arrays are not available. (#256)
Thank you for the new location Pierre!
comment:4 by , 4 years ago
I missed the fact that we were on 2.0.14. Ouch, this is a lot of security fixes. It looks like the ChangeLog was introduced with 2.0.19, so we don't know what was in prior releases.
2.0.24 (2021-01-03) =================== * Add JAS_VERSION_MAJOR, JAS_VERSION_MINOR, JAS_VERSION_PATCH for easier access to the JasPer version. * Fixes stack overflow bug on Windows, where variable-length arrays are not available. (#256) 2.0.23 (2020-12-08) =================== * Fix CVE-2020-27828, heap-overflow in cp_create() in jpc_enc.c https://github.com/jasper-software/jasper/issues/252 2.0.22 (2020-10-05) =================== * Update manual * Remove JPEG dummy codec. Jasper needs libjpeg for JPEG support * Fix test suite build failure regarding disabled MIF codec (#249) * Fix OpenGL/glut detection (#247) 2.0.21 (2020-09-20) =================== * Fix ZDI-15-529 https://github.com/jasper-software/jasper/pull/245 * Fix CVE-2018-19541 in decoder https://github.com/jasper-software/jasper/pull/244 2.0.20 (2020-09-05) =================== * Fix several ISO/IEC 15444-4 conformance bugs * Fix new variant of CVE-2016-9398 * Disable the MIF codec by default for security reasons (but it is still included in the library); in a future release, the MIF codec may also be excluded from the library by default * Add documentation for the I/O streams library API 2.0.19 (2020-07-11) =================== * Fix CVE-2018-9154 https://github.com/jasper-software/jasper/issues/215 https://github.com/jasper-software/jasper/issues/166 https://github.com/jasper-software/jasper/issues/175 https://github.com/jasper-maint/jasper/issues/8 * Fix CVE-2018-19541 in encoder https://github.com/jasper-software/jasper/pull/199 https://github.com/jasper-maint/jasper/issues/6 * Fix CVE-2016-9399, CVE-2017-13751 https://github.com/jasper-maint/jasper/issues/1 * Fix CVE-2018-19540 https://github.com/jasper-software/jasper/issues/182 https://github.com/jasper-maint/jasper/issues/22 * Fix CVE-2018-9055 https://github.com/jasper-maint/jasper/issues/9 * Fix CVE-2017-13748 https://github.com/jasper-software/jasper/issues/168 * Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505 https://github.com/jasper-maint/jasper/issues/3 https://github.com/jasper-maint/jasper/issues/4 https://github.com/jasper-maint/jasper/issues/5 https://github.com/jasper-software/jasper/issues/88 https://github.com/jasper-software/jasper/issues/89 https://github.com/jasper-software/jasper/issues/90 * Fix CVE-2018-9252 https://github.com/jasper-maint/jasper/issues/16 * Fix CVE-2018-19139 https://github.com/jasper-maint/jasper/issues/14 * Fix CVE-2018-19543, CVE-2017-9782 https://github.com/jasper-maint/jasper/issues/13 https://github.com/jasper-maint/jasper/issues/18 https://github.com/jasper-software/jasper/issues/140 https://github.com/jasper-software/jasper/issues/182 * Fix CVE-2018-20570 https://github.com/jasper-maint/jasper/issues/11 https://github.com/jasper-software/jasper/issues/191 * Fix CVE-2018-20622 https://github.com/jasper-maint/jasper/issues/12 https://github.com/jasper-software/jasper/issues/193 * Fix CVE-2016-9398 https://github.com/jasper-maint/jasper/issues/10 * Fix CVE-2017-14132 https://github.com/jasper-maint/jasper/issues/17 * Fix CVE-2017-5499 https://github.com/jasper-maint/jasper/issues/2 https://github.com/jasper-software/jasper/issues/63 * Fix CVE-2018-18873 https://github.com/jasper-maint/jasper/issues/15 https://github.com/jasper-software/jasper/issues/184 * Fix https://github.com/jasper-software/jasper/issues/207 * Fix https://github.com/jasper-software/jasper/issues/194 part 1 * Fix CVE-2017-13750 https://github.com/jasper-software/jasper/issues/165 https://github.com/jasper-software/jasper/issues/174 * New option -DJAS_ENABLE_HIDDEN=true to not export internal symbols in the public symbol table * Fix various memory leaks * Plenty of code cleanups, and performance improvements
comment:5 by , 4 years ago
The new URL will be: https://github.com/jasper-software/jasper/archive/version-2.0.24/jasper-2.0.24.tar.gz
Unfortunately, that extracts to jasper-version-2.0.24. I'll add a note similar to what we have in Inkscape, but I'm not sure how this will affect jhalfs.
Now hosted at github: https://github.com/jasper-software/jasper/releases