14729 – jasper new security issue CVE-2014-9029

Bug 14729 - jasper new security issue CVE-2014-9029

Summary: jasper new security issue CVE-2014-9029

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/624605/
Whiteboard:	has_procedure advisory MGA4-32-OK MGA...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-12-04 20:43 CET by David Walser
Modified:	2016-08-30 20:43 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	jasper-1.900.1-15.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-12-04 20:43:57 CET

Debian has issued an advisory today (December 4):
https://www.debian.org/security/2014/dsa-3089

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated jasper packages fix security vulnerability:

Josh Duart of the Google Security Team discovered heap-based buffer overflow
flaws in JasPer, which could lead to denial of service (application crash) or
the execution of arbitrary code (CVE-2014-9029).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029
https://www.debian.org/security/2014/dsa-3089
========================

Updated packages in core/updates_testing:
========================
jasper-1.900.1-15.1.mga4
libjasper1-1.900.1-15.1.mga4
libjasper-devel-1.900.1-15.1.mga4
libjasper-static-devel-1.900.1-15.1.mga4

from jasper-1.900.1-15.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 William Kenney 2014-12-05 16:47:36 CET

In VirtualBox, M4, KDE, 32-bit

imagemagick & imagemagick-desktop uses jasper

Package(s) under test:
jasper imagemagick
use imagemagick with the ImageMagick-desktop icon

default install of jasper & imagemagick

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-15.mga4.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.7.0-2.3.mga4.i586 is already installed

I can open, and edit, a jpg image with the ImageMagick-desktop icon

install package from updates_testing

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-15.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.7.0-2.3.mga4.i586 is already installed
( there are no updates to the imagemagick packages )

I can open, and edit, a jpg image with the ImageMagick-desktop icon

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int
Whiteboard: (none) => MGA4-32-OK

Comment 2 William Kenney 2014-12-05 17:09:01 CET

In VirtualBox, M4, KDE, 64-bit

imagemagick & imagemagick-desktop uses jasper

Package(s) under test:
jasper lib64jasper1 imagemagick
use imagemagick with the ImageMagick-desktop icon

default install of jasper, lib64jasper1 & imagemagick

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-15.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64jasper1
Package lib64jasper1-1.900.1-15.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.7.0-2.3.mga4.x86_64 is already installed

I can open, and edit, a jpg image with the ImageMagick-desktop icon

install jasper & lib64jasper1 from updates_testing

[root@localhost wilcal]# urpmi jasper
Package jasper-1.900.1-15.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64jasper1
Package lib64jasper1-1.900.1-15.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.7.0-2.3.mga4.x86_64 is already installed
( there are no updates to the imagemagick packages )

I can open, and edit, a jpg image with the ImageMagick-desktop icon

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Comment 3 William Kenney 2014-12-05 17:09:56 CET

This update works fine.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 4 claire robinson 2014-12-05 17:37:17 CET

Advisory uploaded.

Whiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK

claire robinson 2014-12-05 17:37:55 CET

Summary: japser new security issue CVE-2014-9029 => jasper new security issue CVE-2014-9029

Comment 5 David Walser 2014-12-05 17:54:05 CET

Upstream advisory:
http://www.ocert.org/advisories/ocert-2014-009.html

Severity: normal => critical

Comment 6 Mageia Robot 2014-12-05 18:00:03 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0514.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 7 Len Lawrence 2016-08-30 20:43:18 CEST

Trying this on x86_64.  ImageMagick functions work fine on a random JPEG image before update.
Checking the references now for a PoC.

CC: (none) => tarazed25

Note You need to log in before you can comment on or make changes to this bug.