Bug 14729

Summary: jasper new security issue CVE-2014-9029
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: sysadmin-bugs, tarazed25, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/624605/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: jasper-1.900.1-15.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-04 20:43:57 CET 
Debian has issued an advisory today (December 4):
https://www.debian.org/security/2014/dsa-3089

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated jasper packages fix security vulnerability:

Josh Duart of the Google Security Team discovered heap-based buffer overflow
flaws in JasPer, which could lead to denial of service (application crash) or
the execution of arbitrary code (CVE-2014-9029).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029
https://www.debian.org/security/2014/dsa-3089
========================

Updated packages in core/updates_testing:
========================
jasper-1.900.1-15.1.mga4
libjasper1-1.900.1-15.1.mga4
libjasper-devel-1.900.1-15.1.mga4
libjasper-static-devel-1.900.1-15.1.mga4

from jasper-1.900.1-15.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 William Kenney 2014-12-05 16:47:36 CET 
In VirtualBox, M4, KDE, 32-bit

imagemagick & imagemagick-desktop uses jasper

Package(s) under test:
jasper imagemagick
use imagemagick with the ImageMagick-desktop icon

default install of jasper & imagemagick

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-15.mga4.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.7.0-2.3.mga4.i586 is already installed

I can open, and edit, a jpg image with the ImageMagick-desktop icon

install package from updates_testing

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-15.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.7.0-2.3.mga4.i586 is already installed
( there are no updates to the imagemagick packages )

I can open, and edit, a jpg image with the ImageMagick-desktop icon

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int
Whiteboard: (none) => MGA4-32-OK

Comment 2 William Kenney 2014-12-05 17:09:01 CET 
In VirtualBox, M4, KDE, 64-bit

imagemagick & imagemagick-desktop uses jasper

Package(s) under test:
jasper lib64jasper1 imagemagick
use imagemagick with the ImageMagick-desktop icon

default install of jasper, lib64jasper1 & imagemagick

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-15.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64jasper1
Package lib64jasper1-1.900.1-15.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.7.0-2.3.mga4.x86_64 is already installed

I can open, and edit, a jpg image with the ImageMagick-desktop icon

install jasper & lib64jasper1 from updates_testing

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-15.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64jasper1
Package lib64jasper1-1.900.1-15.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.7.0-2.3.mga4.x86_64 is already installed
( there are no updates to the imagemagick packages )

I can open, and edit, a jpg image with the ImageMagick-desktop icon

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 3 William Kenney 2014-12-05 17:09:56 CET 
This update works fine.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 4 claire robinson 2014-12-05 17:37:17 CET 
Advisory uploaded.

Whiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK

claire robinson 2014-12-05 17:37:55 CET

Summary: japser new security issue CVE-2014-9029 => jasper new security issue CVE-2014-9029

Comment 5 David Walser 2014-12-05 17:54:05 CET 
Upstream advisory:
http://www.ocert.org/advisories/ocert-2014-009.html

Severity: normal => critical

Comment 6 Mageia Robot 2014-12-05 18:00:03 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0514.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 7 Len Lawrence 2016-08-30 20:43:18 CEST 
Trying this on x86_64.  ImageMagick functions work fine on a random JPEG image before update.
Checking the references now for a PoC.

CC: (none) => tarazed25