Bug 3902

Summary: jasper is missing a security update (available in MDV 2010.2)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, dmorganec, geiger.david68210, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: jasper-1.900.1-11.mga1.src.rpm CVE:
Status comment:

Description David Walser 2011-12-28 02:00:04 CET 
The newest version of jasper in MDV 2010.2 updates is jasper-1.900.1-12.1mdv2010.2 which since it was imported in mga1 contains multiarch fixes which may be relevant:
http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/jasper/current/SPECS/jasper.spec?r1=606067&r2=661673

as well as the security update:
http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/jasper/current/SPECS/jasper.spec?r1=740106&r2=742028

Here is the package changelog from the update:
* Fri Dec 16 2011 Oden Eriksson <oeriksson@mandriva.com> 1.900.1-12.1
- P8: security fixes for CVE-2011-4516, CVE-2011-4517 (CERT VU#887409)
- P10 - P16: fixes various errors found by static analysis of code (coverity)
- P3, P4, P5, P6 now replaces the ubuntu patch (P0) which fixed the same 
  issues (CVE-2007-2721, CVE-2008-3520, CVE-2008-3521, CVE-2008-3522)

and the advisory:
http://lists.mandriva.com/security-announce/2011-12/msg00014.php
Comment 1 D Morgan 2011-12-28 02:35:50 CET 
multiarch changes are because rpm5 doesn't work exactly the same way as us ( rpm.org ).

I will look for the sec issue.

Status: NEW => ASSIGNED
CC: (none) => dmorganec

Comment 2 D Morgan 2011-12-28 02:46:27 CET 
Please test new package ( in update_testing )

Status: ASSIGNED => NEW
Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2011-12-28 03:49:51 CET 
Just a note to QA, the only thing jasper is used for in Mageia is it is used by Kopete for viewing a webcam through the Yahoo! protocol.  I don't think I can test this functionality, but that's what's needed to verify that it works.
Comment 4 Dave Hodgins 2011-12-29 01:37:59 CET 
Testing complete on i586 for the srpm
jasper-1.900.1-11.1.mga1.src.rpm

Running under strace confirms simply viewing my on webcam in the
configure/video section calls /usr/lib/libjasper.so.1, so I think
this is adequate for testing purposes.

CC: (none) => davidwhodgins

Comment 5 David GEIGER 2012-01-09 09:53:41 CET 
(In reply to comment #4)
> 
> Running under strace confirms simply viewing my on webcam in the
> configure/video section calls /usr/lib/libjasper.so.1, so I think
> this is adequate for testing purposes.

 Tested complete the srpm jasper-1.900.1-11.1.mga1.src.rpm on Mageia release 1 (Official) for x86_64.

CC: (none) => geiger.david68210

Comment 6 David Walser 2012-01-09 14:40:27 CET 
Validating

Advisory:
========================

Updated jasper packages fix security vulnerabilities:

Heap-based buffer overflow in the jpc_cox_getcompparms function in
libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to
execute arbitrary code or cause a denial of service (memory corruption)
via a crafted numrlvls value in a JPEG2000 file (CVE-2011-4516).

The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer
1.900.1 uses an incorrect data type during a certain size calculation,
which allows remote attackers to trigger a heap-based buffer overflow
and execute arbitrary code, or cause a denial of service (heap memory
corruption), via a malformed JPEG2000 file (CVE-2011-4517).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:189
========================

Updated packages in core/updates_testing:
========================
jasper-1.900.1-11.1.mga1
libjasper-devel-1.900.1-11.1.mga1
libjasper-static-devel-1.900.1-11.1.mga1
libjasper1-1.900.1-11.1.mga1

from jasper-1.900.1-11.1.mga1.src.rpm
========================

Could sysadmin please push from core/updates_testing to core/updates

Thank you!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 7 Thomas Backlund 2012-01-09 15:04:08 CET 
Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED