Bug 14845 - jasper new security issues CVE-2014-8137 and CVE-2014-8138
Summary: jasper new security issues CVE-2014-8137 and CVE-2014-8138
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/627055/
Whiteboard: has_procedure advisory MGA4-32-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-18 18:50 CET by David Walser
Modified: 2014-12-19 16:52 CET (History)
2 users (show)

See Also:
Source RPM: jasper-1.900.1-15.1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-18 18:50:11 CET
An advisory has been issued today (December 18):
http://www.ocert.org/advisories/ocert-2014-012.html

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated jasper packages fix security vulnerabilities:

A double free flaw was found in the way JasPer parsed ICC color profiles in
JPEG 2000 image files. A specially crafted file could cause an application
using JasPer to crash or, possibly, execute arbitrary code (CVE-2014-8137).

A heap-based buffer overflow flaw was found in the way JasPer decoded JPEG
2000 image files. A specially crafted file could cause an application using
JasPer to crash or, possibly, execute arbitrary code (CVE-2014-8138).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138
http://www.ocert.org/advisories/ocert-2014-012.html
========================

Updated packages in core/updates_testing:
========================
jasper-1.900.1-15.2.mga4
libjasper1-1.900.1-15.2.mga4
libjasper-devel-1.900.1-15.2.mga4
libjasper-static-devel-1.900.1-15.2.mga4

from jasper-1.900.1-15.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-12-18 19:24:24 CET

Severity: major => critical

Comment 1 claire robinson 2014-12-18 23:19:34 CET
Procedure: https://bugs.mageia.org/show_bug.cgi?id=14729

Whiteboard: (none) => has_procedure

Comment 2 Herman Viaene 2014-12-19 10:19:16 CET
MGA4-64 on HP-Probook 6555b
No problems installing jasper.
As in Comment 1, I can open and edit a jpg file.

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA4-64 OK

Comment 3 Herman Viaene 2014-12-19 12:32:43 CET
MGA4-32 on Acer D620
Works OK, same test as Comment 1

Whiteboard: has_procedure MGA4-64 OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 4 claire robinson 2014-12-19 14:20:30 CET
Validating. Advisory uploaded.

Could sysadmin please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2014-12-19 16:07:35 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0539.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-12-19 16:52:21 CET

URL: (none) => http://lwn.net/Vulnerabilities/627055/


Note You need to log in before you can comment on or make changes to this bug.