OpenSuSE has issued an advisory for CVE-2016-2089 on February 10: http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html CVE request and assignment for that from January 28: http://seclists.org/oss-sec/2016/q1/84 http://openwall.com/lists/oss-security/2016/01/28/6 PoC attached to the CVE request above. Ubuntu has announced CVE-2016-1577 and CVE-2016-2116 today (March 3): http://openwall.com/lists/oss-security/2016/03/03/12 PoC for CVE-2016-1577 is attached to the Ubuntu bug: https://launchpad.net/bugs/1547865 Patched packages uploaded for Mageia 5 and Cauldron. Advisory to come later. Updated packages in core/updates_testing: ======================== jasper-1.900.1-20.4.mga5 libjasper1-1.900.1-20.4.mga5 libjasper-devel-1.900.1-20.4.mga5 libjasper-static-devel-1.900.1-20.4.mga5 from jasper-1.900.1-20.4.mga5.src.rpm
Testing procedure in: https://bugs.mageia.org/show_bug.cgi?id=14729
Whiteboard: (none) => has_procedure
URL: (none) => http://lwn.net/Vulnerabilities/675051/
Advisory: ======================== Updated jasper packages fix security vulnerabilities: The jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted JPEG 2000 image (CVE-2016-2089). Jacob Baines discovered that a double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file (CVE-2016-1577). Tyler Hicks discovered that a memory leak in the jas_iccprof_createfrombuf function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted ICC color profile in a JPEG 2000 image file (CVE-2016-2116). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1577 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2089 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2116 http://openwall.com/lists/oss-security/2016/03/03/12 http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html
Ubuntu has issued an advisory for their 2 CVEs today (March 3): http://www.ubuntu.com/usn/usn-2919-1/ Advisory: ======================== Updated jasper packages fix security vulnerabilities: The jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted JPEG 2000 image (CVE-2016-2089). Jacob Baines discovered that a double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file (CVE-2016-1577). Tyler Hicks discovered that a memory leak in the jas_iccprof_createfrombuf function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted ICC color profile in a JPEG 2000 image file (CVE-2016-2116). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1577 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2089 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2116 http://lists.opensuse.org/opensuse-updates/2016-02/msg00060.html http://www.ubuntu.com/usn/usn-2919-1/
In VirtualBox, M5, KDE, 32-bit imagemagick & imagemagick-desktop uses jasper Package(s) under test: jasper imagemagick imagemagick-desktop use imagemagick with the ImageMagick-desktop icon default install of jasper imagemagick & imagemagick-desktop [root@localhost wilcal]# urpmi jasper Package jasper-1.900.1-20.3.mga5.i586 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.9.9-4.2.mga5.i586 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.8.9.9-4.2.mga5.i586 is already installed I can open, and edit, a jpg image with the ImageMagick-desktop icon install jasper from updates_testing [root@localhost wilcal]# urpmi jasper Package jasper-1.900.1-20.4.mga5.i586 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.9.9-4.2.mga5.i586 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.8.9.9-4.2.mga5.i586 is already installed ( there are no updates to the imagemagick packages ) I can open, and edit, a jpg image with the ImageMagick-desktop icon
CC: (none) => wilcal.int
In VirtualBox, M5, KDE, 64-bit imagemagick & imagemagick-desktop uses jasper Package(s) under test: jasper imagemagick imagemagick-desktop use imagemagick with the ImageMagick-desktop icon default install of jasper imagemagick & imagemagick-desktop [root@localhost wilcal]# urpmi jasper Package jasper-1.900.1-20.3.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.9.9-4.2.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.8.9.9-4.2.mga5.x86_64 is already installed I can open, and edit, a jpg image with the ImageMagick-desktop icon install jasper from updates_testing [root@localhost wilcal]# urpmi jasper Package jasper-1.900.1-20.4.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.9.9-4.2.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.8.9.9-4.2.mga5.x86_64 is already installed ( there are no updates to the imagemagick packages ) I can open, and edit, a jpg image with the ImageMagick-desktop icon
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
LWN reference for CVE-2016-1577 and CVE-2016-2116: http://lwn.net/Vulnerabilities/678818/
Advisory uploaded.
CC: (none) => lewyssmithWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0100.html
Status: NEW => RESOLVEDResolution: (none) => FIXED