Opened 6 months ago

Closed 6 months ago

#14599 closed enhancement (fixed)

Jasper-2.0.24, includes CVE fixes

Reported by: ken@… Owned by: Douglas R. Reno
Priority: high Milestone: 10.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

I just noticed fedora updated to this. http://www.ece.uvic.ca/~frodo/jasper/

Quoting their update report via lwn.net:

Update Information:

New upstream version 2.0.24 with all reported CVE fixes available.


ChangeLog:

  • Mon Jan 25 2021 Josef Ridky <jridky@…> - 2.0.24-1
  • New upstream release 2.0.24 (#1905690)

References:

[ 1 ] Bug #1434464 - CVE-2016-9396 CVE-2016-9397 CVE-2016-9398 CVE-2016-9399 CVE-2017-1000050

CVE-2017-13745 CVE-2017-13746 CVE-2017-13747 CVE-2017-13748 CVE-2017-13749 CVE-2017-13750 CVE-2017-13751 CVE-2017-13752 CVE-2017-14132 ... jasper: various flaws [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1434464

[ 2 ] Bug #1905202 - CVE-2020-27828 jasper: heap-based buffer overflow in cp_create() in

jpc_enc.c [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1905202

[ 3 ] Bug #1905690 - jasper-2.0.24 is available

https://bugzilla.redhat.com/show_bug.cgi?id=1905690

Not all of those are currently listed at NVD, and I suspect 2017-1000050 probably has two zeroes too many, but a random inspection of 2016-9396, 2017-13745, 2017-14132 and 2020-27828 shows those are all rated as High.

Change History (6)

comment:2 by Douglas R. Reno, 6 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

I'll get Jasper and Glib in at my next commit.

comment:3 by Douglas R. Reno, 6 months ago

    Add JAS_VERSION_MAJOR, JAS_VERSION_MINOR, JAS_VERSION_PATCH for easier access to the JasPer version.
    Fixes stack overflow bug on Windows, where variable-length arrays are not available. (#256)

Thank you for the new location Pierre!

comment:4 by Douglas R. Reno, 6 months ago

I missed the fact that we were on 2.0.14. Ouch, this is a lot of security fixes. It looks like the ChangeLog was introduced with 2.0.19, so we don't know what was in prior releases.

2.0.24 (2021-01-03)
===================

* Add JAS_VERSION_MAJOR, JAS_VERSION_MINOR, JAS_VERSION_PATCH
  for easier access to the JasPer version.
* Fixes stack overflow bug on Windows, where variable-length
  arrays are not available. (#256)

2.0.23 (2020-12-08)
===================

* Fix CVE-2020-27828, heap-overflow in cp_create() in jpc_enc.c
  https://github.com/jasper-software/jasper/issues/252

2.0.22 (2020-10-05)
===================

* Update manual

* Remove JPEG dummy codec. Jasper needs libjpeg for JPEG support

* Fix test suite build failure regarding disabled MIF codec (#249)

* Fix OpenGL/glut detection (#247)

2.0.21 (2020-09-20)
===================

* Fix ZDI-15-529
  https://github.com/jasper-software/jasper/pull/245

* Fix CVE-2018-19541 in decoder
  https://github.com/jasper-software/jasper/pull/244

2.0.20 (2020-09-05)
===================

* Fix several ISO/IEC 15444-4 conformance bugs

* Fix new variant of CVE-2016-9398

* Disable the MIF codec by default for security reasons (but it is still
  included in the library);
  in a future release, the MIF codec may also be excluded from the
  library by default

* Add documentation for the I/O streams library API

2.0.19 (2020-07-11)
===================

* Fix CVE-2018-9154
  https://github.com/jasper-software/jasper/issues/215
  https://github.com/jasper-software/jasper/issues/166
  https://github.com/jasper-software/jasper/issues/175
  https://github.com/jasper-maint/jasper/issues/8

* Fix CVE-2018-19541 in encoder
  https://github.com/jasper-software/jasper/pull/199
  https://github.com/jasper-maint/jasper/issues/6

* Fix CVE-2016-9399, CVE-2017-13751
  https://github.com/jasper-maint/jasper/issues/1

* Fix CVE-2018-19540
  https://github.com/jasper-software/jasper/issues/182
  https://github.com/jasper-maint/jasper/issues/22

* Fix CVE-2018-9055
  https://github.com/jasper-maint/jasper/issues/9

* Fix CVE-2017-13748
  https://github.com/jasper-software/jasper/issues/168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  https://github.com/jasper-maint/jasper/issues/3
  https://github.com/jasper-maint/jasper/issues/4
  https://github.com/jasper-maint/jasper/issues/5
  https://github.com/jasper-software/jasper/issues/88
  https://github.com/jasper-software/jasper/issues/89
  https://github.com/jasper-software/jasper/issues/90

* Fix CVE-2018-9252
  https://github.com/jasper-maint/jasper/issues/16

* Fix CVE-2018-19139
  https://github.com/jasper-maint/jasper/issues/14

* Fix CVE-2018-19543, CVE-2017-9782
  https://github.com/jasper-maint/jasper/issues/13
  https://github.com/jasper-maint/jasper/issues/18
  https://github.com/jasper-software/jasper/issues/140
  https://github.com/jasper-software/jasper/issues/182

* Fix CVE-2018-20570
  https://github.com/jasper-maint/jasper/issues/11
  https://github.com/jasper-software/jasper/issues/191

* Fix CVE-2018-20622
  https://github.com/jasper-maint/jasper/issues/12
  https://github.com/jasper-software/jasper/issues/193

* Fix CVE-2016-9398
  https://github.com/jasper-maint/jasper/issues/10

* Fix CVE-2017-14132
  https://github.com/jasper-maint/jasper/issues/17

* Fix CVE-2017-5499
  https://github.com/jasper-maint/jasper/issues/2
  https://github.com/jasper-software/jasper/issues/63

* Fix CVE-2018-18873
  https://github.com/jasper-maint/jasper/issues/15
  https://github.com/jasper-software/jasper/issues/184

* Fix https://github.com/jasper-software/jasper/issues/207

* Fix https://github.com/jasper-software/jasper/issues/194 part 1

* Fix CVE-2017-13750
  https://github.com/jasper-software/jasper/issues/165
  https://github.com/jasper-software/jasper/issues/174

* New option -DJAS_ENABLE_HIDDEN=true to not export internal symbols in the public symbol table

* Fix various memory leaks

* Plenty of code cleanups, and performance improvements

comment:5 by Douglas R. Reno, 6 months ago

The new URL will be: https://github.com/jasper-software/jasper/archive/version-2.0.24/jasper-2.0.24.tar.gz

Unfortunately, that extracts to jasper-version-2.0.24. I'll add a note similar to what we have in Inkscape, but I'm not sure how this will affect jhalfs.

Last edited 6 months ago by Douglas R. Reno (previous) (diff)

comment:6 by Douglas R. Reno, 6 months ago

Resolution: fixed
Status: assignedclosed

Fixed at r24174

Note: See TracTickets for help on using tickets.