Bug 14845

Summary: jasper new security issues CVE-2014-8137 and CVE-2014-8138
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/627055/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: jasper-1.900.1-15.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-18 18:50:11 CET 
An advisory has been issued today (December 18):
http://www.ocert.org/advisories/ocert-2014-012.html

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated jasper packages fix security vulnerabilities:

A double free flaw was found in the way JasPer parsed ICC color profiles in
JPEG 2000 image files. A specially crafted file could cause an application
using JasPer to crash or, possibly, execute arbitrary code (CVE-2014-8137).

A heap-based buffer overflow flaw was found in the way JasPer decoded JPEG
2000 image files. A specially crafted file could cause an application using
JasPer to crash or, possibly, execute arbitrary code (CVE-2014-8138).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138
http://www.ocert.org/advisories/ocert-2014-012.html
========================

Updated packages in core/updates_testing:
========================
jasper-1.900.1-15.2.mga4
libjasper1-1.900.1-15.2.mga4
libjasper-devel-1.900.1-15.2.mga4
libjasper-static-devel-1.900.1-15.2.mga4

from jasper-1.900.1-15.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-12-18 19:24:24 CET

Severity: major => critical

Comment 1 claire robinson 2014-12-18 23:19:34 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=14729

Whiteboard: (none) => has_procedure

Comment 2 Herman Viaene 2014-12-19 10:19:16 CET 
MGA4-64 on HP-Probook 6555b
No problems installing jasper.
As in Comment 1, I can open and edit a jpg file.

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA4-64 OK

Comment 3 Herman Viaene 2014-12-19 12:32:43 CET 
MGA4-32 on Acer D620
Works OK, same test as Comment 1

Whiteboard: has_procedure MGA4-64 OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 4 claire robinson 2014-12-19 14:20:30 CET 
Validating. Advisory uploaded.

Could sysadmin please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2014-12-19 16:07:35 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0539.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-12-19 16:52:21 CET

URL: (none) => http://lwn.net/Vulnerabilities/627055/