CVEs have been assigned for security issues in jasper: http://openwall.com/lists/oss-security/2016/10/16/14 Information about the status of these and fixes for some of them: http://openwall.com/lists/oss-security/2016/10/16/17 We should update to 1.900.4 and include any fixes from git.
Whiteboard: (none) => MGA5TOO
Assigning to the registered maintainer
CC: (none) => marja11Assignee: bugsquad => mageia
More CVEs: http://openwall.com/lists/oss-security/2016/10/23/8 http://openwall.com/lists/oss-security/2016/10/23/1 http://openwall.com/lists/oss-security/2016/10/23/2 http://openwall.com/lists/oss-security/2016/10/23/3
Summary: jasper new security issues CVE-2016-869[1-3] => jasper new security issues CVE-2016-869[1-3], CVE-2016-888[0-7]
Fedora now has a 1.900.13, which should be significantly improved: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/THLEZURI4D24PRM7SMASC5I25IAWXXTM/
There is a more recent available release 1.900.18 https://github.com/mdadams/jasper/releases
CC: (none) => geiger.david68210
CVE request for another issue fixed upstream: http://openwall.com/lists/oss-security/2016/11/04/11
openSUSE has issued an advisory for this today (November 4): https://lists.opensuse.org/opensuse-updates/2016-11/msg00010.html
Summary: jasper new security issues CVE-2016-869[1-3], CVE-2016-888[0-7] => jasper new security issues CVE-2016-869[0-3], CVE-2016-888[0-7]URL: (none) => http://lwn.net/Vulnerabilities/705673/
openSUSE has issued an advisory for this on November 5: https://lists.opensuse.org/opensuse-updates/2016-11/msg00018.html LWN reference: http://lwn.net/Vulnerabilities/705824/
CVE request for another issue fixed upstream: http://openwall.com/lists/oss-security/2016/11/09/8
(In reply to David Walser from comment #8) > CVE request for another issue fixed upstream: > http://openwall.com/lists/oss-security/2016/11/09/8 CVE-2016-9262 for this one: http://openwall.com/lists/oss-security/2016/11/10/4
Summary: jasper new security issues CVE-2016-869[0-3], CVE-2016-888[0-7] => jasper new security issues CVE-2016-869[0-3], CVE-2016-888[0-7], CVE-2016-9262
More security issues in jasper: http://openwall.com/lists/oss-security/2016/11/16/4
(In reply to David Walser from comment #10) > More security issues in jasper: > http://openwall.com/lists/oss-security/2016/11/16/4 CVE-2016-938[7-9] and CVE-2016-939[0-9]: http://openwall.com/lists/oss-security/2016/11/17/1
Summary: jasper new security issues CVE-2016-869[0-3], CVE-2016-888[0-7], CVE-2016-9262 => jasper new security issues CVE-2016-869[0-3], CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9]
Two more security issues for jasper: http://openwall.com/lists/oss-security/2016/11/19/5 http://openwall.com/lists/oss-security/2016/11/20/1
(In reply to David Walser from comment #12) > Two more security issues for jasper: > http://openwall.com/lists/oss-security/2016/11/19/5 > http://openwall.com/lists/oss-security/2016/11/20/1 CVE-2016-9557 and CVE-2016-9560: http://openwall.com/lists/oss-security/2016/11/23/2 http://openwall.com/lists/oss-security/2016/11/23/5
Another issue (CVE-2016-8654) has been fixed upstream: http://openwall.com/lists/oss-security/2016/11/29/6 The commit to fix the issue is linked in the message above.
Summary: jasper new security issues CVE-2016-869[0-3], CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9] => jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9]
LWN reference with some of the CVEs:
Summary: jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9] => jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560
LWN reference for CVE-2016-8654: https://lwn.net/Vulnerabilities/708870/
Another CVE for jasper: http://openwall.com/lists/oss-security/2016/12/13/3
Summary: jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560 => jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560, CVE-2016-9583
Another CVE for jasper: http://www.openwall.com/lists/oss-security/2016/12/16/3
Summary: jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560, CVE-2016-9583 => jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560, CVE-2016-9583, CVE-2016-9591
LWN reference for CVE-2016-9395 CVE-2016-9398 CVE-2016-9591: https://lwn.net/Vulnerabilities/711059/
More CVEs: http://openwall.com/lists/oss-security/2017/01/17/1 http://openwall.com/lists/oss-security/2017/01/17/2 http://openwall.com/lists/oss-security/2017/01/17/3 http://openwall.com/lists/oss-security/2017/01/17/4
Summary: jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560, CVE-2016-9583, CVE-2016-9591 => jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560, CVE-2016-9583, CVE-2016-9591, CVE-2017-549[89], CVE-2017-550[0-5]
LWN reference for CVE-2016-9583: https://lwn.net/Vulnerabilities/713423/
Package : jasper CVE ID : CVE-2016-1867 CVE-2016-8654 CVE-2016-8691 CVE-2016-8692 CVE-2016-8693 CVE-2016-8882 CVE-2016-9560 Multiple vulnerabilities have been discovered in the JasPer library for processing JPEG-2000 images, which may result in denial of service or the execution of arbitrary code if a malformed image is processed.
CC: (none) => zombie_ryushu
Hi, I tried to update jasper so here is a summary that applies to Mageia 5 and Cauldron: I found that, starting with version 1.900.24, the name of the dynamic library was no more libjasper.so.1* but libjasper.so.2* (and, in version 2.0.10, it is libjasper.so.4*). So I used version 1.900.23 (which solves CVE-2016-869[0-3], CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9]) and added some patches for CVE-2016-8654, CVE-2016-9557, CVE-2016-9560, CVE-2016-9583 and CVE-2016-9591. The remaining unpatched security problems are CVE-2017-549[89] and CVE-2017-550[0-5] (for which there is currently no upstream patch). I had to add another patch replacing an "assert()" by an error message because that assert, with the file "http://www.fnordware.com/j2k/relax.jp2", caused the crash of pcmanfm (when it tries to create the thumbnail) and of the gimp plugin "file-jp2-load". The current version of jasper, with the same file, also causes the crash of the gimp plugin but does not affect pcmanfm because the creation of the thumbnail fails before that assert. In my tests, I used these files: https://github.com/bitsgalore/jp2kMagic/raw/master/sampleImages/balloon.jp2 https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/1410918/+attachment/4298538/+files/Cevennes2.jp2 https://sourceforge.net/p/iipimage/discussion/299494/thread/dc7ea3fd/621e/attachment/sample.jp2 https://sourceforge.net/p/iipimage/discussion/299494/thread/dc7ea3fd/5bd9/attachment/Paris_12-080422_0687-23-00001_0001292.jp2 http://www.fnordware.com/j2k/relax.jp2 imagewithalpha.jp2 from https://bugs.launchpad.net/ubuntu/+source/jasper/+bug/427100/+attachment/884717/+files/image.tar.bz2 Current situation (jasper 1.900.1): - The gimp plugin crashes with balloon.jp2, Cevennes2.jp2 and relax.jp2. Gimp is unable to open imagewithalpha.jp2 and Paris_12-080422_0687-23-00001_0001292.jp2. Gimp only opens sample.jp2. - (Only for Cauldron as the binary does not exist in Mageia 5) jiv crashes with relax.jp2. jiv is unable to open imagewithalpha.jp2 and Paris_12-080422_0687-23-00001_0001292.jp2. jiv opens balloon.jp2, Cevennes2.jp2 and sample.jp2 (even if it takes some time to opens those files). - Pcmanfm is only able to create a thumbnail for sample.jp2 (if it is configured to create thumbnails for files smaller than 32768KB, default is 2048KB). Situation with jasper 1.900.23 + patches: - Gimp is unable to open imagewithalpha.jp2, Paris_12-080422_0687-23-00001_0001292.jp2 and relax.jp2. Gimp opens balloon.jp2, Cevennes2.jp2 and sample.jp2. - (Both Cauldron and Mageia 5) jiv is unable to open imagewithalpha.jp2, Paris_12-080422_0687-23-00001_0001292.jp2, relax.jp2 and sample.jp2. jiv opens balloon.jp2 and Cevennes2.jp2 (even if it takes some time to opens those files). - Pcmanfm is able to create a thumbnail for balloon.jp2, Cevennes2.jp2 and sample.jp2 (if it is configured to create thumbnails for files smaller than 32768KB, default is 2048KB). I commited that new version to SVN but I neither submit to mga5/updates_testing nor asked for a freeze push because of CVE-2017-549[89] and CVE-2017-550[0-5]. Best regards, Nico.
CC: (none) => nicolas.salguero
Wow, thanks! You can do the freeze push request for Cauldron as a partial fix is better than nothing there. Mageia 5 can wait a bit more. Nice catch with that assert, as those shouldn't be left enabled in production code anyway.
Does this package now suffer from the same breakage that happend in cauldron ?
Whiteboard: MGA5TOO => MGA5TOO feedbackCC: (none) => tmb
The corrected patch for CVE-2016-9557 has been committed into Mga5 and Cauldron SVN so there should be no more breakage.
Another bug: http://openwall.com/lists/oss-security/2017/03/06/1 and a fix for a different one: http://openwall.com/lists/oss-security/2017/03/06/3
(In reply to David Walser from comment #27) > and a fix for a different one: > http://openwall.com/lists/oss-security/2017/03/06/3 Added to Mga5 and Cauldron SVN. jasper-1.900.23-3.mga6 contains the patch.
Another fix: http://openwall.com/lists/oss-security/2017/03/07/1
(In reply to David Walser from comment #29) > Another fix: > http://openwall.com/lists/oss-security/2017/03/07/1 Added to Mga5 and Cauldron SVN. jasper-1.900.23-4.mga6 contains the patch.
http://openwall.com/lists/oss-security/2017/03/13/22 http://openwall.com/lists/oss-security/2017/03/13/23 http://openwall.com/lists/oss-security/2017/03/13/24 http://openwall.com/lists/oss-security/2017/03/13/25 http://openwall.com/lists/oss-security/2017/03/13/26 http://openwall.com/lists/oss-security/2017/03/13/27 CVE-2016-1024[89], CVE-2016-1025[01], CVE-2017-685[02] were assigned. These won't fit in the bug title.
Summary: jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560, CVE-2016-9583, CVE-2016-9591, CVE-2017-549[89], CVE-2017-550[0-5] => jasper new security issues CVE-2016-8654, CVE-2016-869[0-3], CVE-2016-8751, CVE-2016-888[0-7], CVE-2016-9262, CVE-2016-938[7-9] and CVE-2016-939[0-9], CVE-2016-9557, CVE-2016-9560, CVE-2016-9583, CVE-2016-9591, CVE-2017-549[89], CVE-2017-550[0-5] and more
According to the links provided in comment 31, CVE-2016-1024[89], CVE-2016-1025[01] and CVE-2017-6850 are already fixed in jasper-1.900.23-4.mga6. The only remaining issue is CVE-2017-6852, for which there is currently no fix.
SUSE has issued an advisory on April 5: https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00010.html It includes several CVEs, including CVE-2016-9600, which I don't believe has been mentioned here yet.
I added a patch for CVE-2016-9600 to Mga5 and Cauldron SVN. jasper-1.900.23-5.mga6 contains that patch.
can we send this to QA for test and validation ?
RedHat has added an advisory for this on May 9: https://rhn.redhat.com/errata/RHSA-2017-1208.html
Whiteboard: MGA5TOO feedback => feedbackVersion: Cauldron => 5
Two more CVE requests: http://openwall.com/lists/oss-security/2017/06/20/3 http://openwall.com/lists/oss-security/2017/06/20/4
CVE-2017-1000050: http://openwall.com/lists/oss-security/2017/07/08/3
openSUSE has issued an advisory on July 26, fixing several CVEs in jasper: https://lists.opensuse.org/opensuse-updates/2017-07/msg00092.html
Keywords: (none) => feedbackWhiteboard: feedback => (none)
(In reply to David Walser from comment #38) > CVE-2017-1000050: > http://openwall.com/lists/oss-security/2017/07/08/3 Fedora has issued an advisory for this on September 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U5NEJQFBVKG6PRJ5EZ7UIP7ZXOIHDPJF/
Can we update this? I'm guessing Mageia 6 needs some fixes too.
Keywords: feedback => (none)
If I read Nicolas right, CVE-2017-549[89], CVE-2017-550[0-5], CVE-2017-6852 may be unfixed, but everything should be fixed in this update and what we already have in Mageia 6. Advisory: ======================== Updated jasper packages fix security vulnerability: The jasper package has been updated and patched to fix several security issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8654 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8690 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8693 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8751 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8880 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8881 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8882 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8885 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8886 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8887 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9262 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9390 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9391 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9393 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9394 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9395 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9396 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9397 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9398 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9399 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9557 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9583 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9591 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9600 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10248 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10249 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10250 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10251 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6850 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000050 https://github.com/mdadams/jasper/releases https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/THLEZURI4D24PRM7SMASC5I25IAWXXTM/ https://lists.opensuse.org/opensuse-updates/2016-11/msg00010.html https://lists.opensuse.org/opensuse-updates/2016-11/msg00018.html https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00010.html https://lists.opensuse.org/opensuse-updates/2017-07/msg00092.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U5NEJQFBVKG6PRJ5EZ7UIP7ZXOIHDPJF/ ======================== Updated packages in core/updates_testing: ======================== jasper-1.900.23-1.mga5 libjasper1-1.900.23-1.mga5 libjasper-devel-1.900.23-1.mga5 libjasper-static-devel-1.900.23-1.mga5 from jasper-1.900.23-1.mga5.src.rpm
CC: (none) => mageiaAssignee: mageia => qa-bugs
On real hardware, ASRock motherboard, Athlon X2 7750, 8GB, nvidia Geforce 9800 GT (nvidia340) graphics. Installed jasper-1.900.23-1.mga5 and libjasper1-1.900.23-1.mga5. Downloaded jp2 test image and opened it with several 64-bit apps. No regressions noted.
CC: (none) => andrewsfarm
Whiteboard: (none) => MGA5-64-OK
To prioritise.
Thanks TJ for your test. M5/64 again. - jasper-1.900.23-1.mga5.x86_64 - lib64jasper1-1.900.23-1.mga5.x86_64 "JasPer is a software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard (i.e., ISO/IEC 15444-1). This package contains tools for working with JPEG-2000 images." - imgcmp The imgcmp command compares two images of the same geometry with respect to a given metric. [A bit specialised...] - imginfo The imginfo command displays information about an image. - jasper The jasper command converts to and from JPEG-2000 files. These 3 have skimpy man pages, but --help command info. - tmrdemo [mystery] $ tmrdemo bad usage :P $ tmrdemo -h jas_tmr_start inf us jas_tmr_stop inf us zero time -nan us time delay 1.00009012 s Do not know what this is supposed to mean. $ imginfo -f bell_206.j2k warning: ignoring invalid option max_samples [post update only] jpc 3 258 792 8 613008 $ imginfo -f bell_206.jp2 [same image, different suffix] warning: ignoring invalid option max_samples [post update only] jpc 3 258 792 8 613008 $ imginfo -f blackbuck.j2k jpc 3 512 512 8 786432 warning: ignoring invalid option max_samples [post update only] $ imginfo -f P1000737.jp2 warning: ignoring invalid option max_samples [post update only] jp2 3 3072 2048 8 18874368 Happy to believe all that. Stracing shows the library is being invoked: strace imginfo -f bell_206.j2k 2>&1 | grep libjasper open("/lib64/libjasper.so.1", O_RDONLY|O_CLOEXEC) = 3 For jasper: The following formats are supported: mif My Image Format (MIF) pnm Portable Graymap/Pixmap (PNM) bmp Microsoft Bitmap (BMP) ras Sun Rasterfile (RAS) jp2 JPEG-2000 JP2 File Format Syntax (ISO/IEC 15444-1) jpc JPEG-2000 Code Stream Syntax (ISO/IEC 15444-1) jpg JPEG (ISO/IEC 10918-1) pgx JPEG-2000 VM Format (PGX) BMP -> JP2 $ jasper -f blackbuck.bmp -t bmp -F ~/tmp/blackbuck.jp2 -T jp2 THE BMP FORMAT IS NOT FULLY SUPPORTED! THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA. IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD. In spite of which, the output file existed and viewed similar to the input. $ strace jasper -f blackbuck.bmp -t bmp -F ~/tmp/blackbuck.jp2 -T jp2 2>&1 | grep libjasper open("/lib64/libjasper.so.1", O_RDONLY|O_CLOEXEC) = 3 JPG -> JP2 $ jasper -f neuadd.jpeg -t jpg -F ~/tmp/neuadd.jp2 -T jp2 The original & converted images viewed identically. JP2 -> JPG $ jasper -f bell_206.jp2 -t jp2 -F ~/tmp/bell.jpg -T jpg error: expecting signature box error: cannot load image data Same error with .j2k image copy. $ jasper -f P1000737.jp2 -t jp2 -F ~/tmp/pic.jpg -T jpg worked: I/P & O/P images viewed identically. Stracing that showed: open("/lib64/libjasper.so.1", O_RDONLY|O_CLOEXEC) = 3 JP2 -> BMP $ jasper -f blackbuck.j2k -t jp2 -F ~/tmp/pic.bmp -T bmp error: expecting signature box error: cannot load image data $ jasper -f P1000784.jp2 -t jp2 -F ~/tmp/pic.bmp -T bmp worked. Original & converted images viewed identically. Its delicacy on the subject of jp2|j2k input files, which themselves were the result of conversions (as were the ones that did work), was the same before the update - which looks good. Oh - the new benign error msg from imginfo has appeared with the update, but is more an annoyance than anything: the results are the same as before. Confirm TJ's OK, validating as this is a one release 64-bit tested update. Advisory done.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0474.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
There were two failures in the PoC tests, for CVEs 2016-939{7,8}. Referring back to Herman's tests and bug 19605 c3.... Downloaded ht2jk.jpg from https://jpeg.org/jpeg2000/htj2k.html. $ file ht2jk.jpg ht2jk.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=12, manufacturer=Canon, model=Canon PowerShot A540, orientation=upper-left, xresolution=186, yresolution=194, resolutionunit=2, datetime=2009:09:13 12:26:29], baseline, precision 8, 2816x558, frames 3 Looks like an ordinary JPEG. $ imginfo -f ht2jk.jpg jpg 3 2816 558 8 4713984 $ jasper --input ht2jk.jpg --output-format jp2 --output riverpan.jp2 $ imginfo -f riverpan.jp2 warning: ignoring invalid option max_samples jp2 3 2816 558 8 4713984 $ diff riverpan.jp2 ht2jk.jpg Binary files riverpan.jp2 and ht2jk.jpg differ $ od -a ht2jk.jpg | head -2 0000000 del X del ` nul dle J F I F nul soh soh soh nul ` 0000020 nul ` nul nul del a nak ` E x i f nul nul M M $ od -a riverpan.jp2 | head -2 0000000 nul nul nul ff j P sp sp cr nl bel nl nul nul nul dc4 0000020 f t y p j p 2 sp nul nul nul nul j p 2 sp Comparing the tailends also indicates a difference in encoding so the file has been converted, not just renamed. Downloaded these sample files from github - relax.jp2, sail.j2k, world.jp2. $ imginfo -f relax.jp2 warning: ignoring invalid option max_samples ICC Profile CS 52474220 error: failed to create jas_cmprof_t cannot load image This is not a regression because the same image copied to another system with pre-update jasper loaded gives the same message. ImageMagick has no problem displaying it. $ imginfo -f sail.j2k warning: ignoring invalid option max_samples jpc 3 640 480 8 921600 $ imginfo -f world.jp2 warning: ignoring invalid option max_samples jp2 3 800 400 8 960000 These display fine also. $ jasper -t pnm -f glenshiel.pnm -T jp2 -F greyvale.jp2 $ display greyvale.jp2 $ imginfo -f greyvale.jp2 warning: ignoring invalid option max_samples jp2 1 2304 1728 8 3981312 $ jasper -f sail.j2k -F sail.bmp -T bmp $ display sail.bmp $ imginfo -f sail.bmp THE BMP FORMAT IS NOT FULLY SUPPORTED! THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA. IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD. bmp 3 640 480 8 921600 No regression there. The image displays fine. $ jasper -f sail.j2k -t jp2 -F sail.pnm -T pnm error: expecting signature box error: cannot load image data This produced an empty output file. $ convert sail.j2k sail.bmp $ display sail.bmp $ jasper -f sail.bmp -t bmp -F sail.pnm -T pnm THE BMP FORMAT IS NOT FULLY SUPPORTED! THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA. IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD. cannot get info error: cannot load image data $ display sail.pnm display: improper image header `sail.pnm' @ error/pnm.c/ReadPNMImage/287. jasper is still a work in progress by the looks of it. None of these failures should be regarded as regressions. We have seen them before, but the failed PoCs need looking into. The conversions work in the main, so if the PoC failures can be signalled back upstream this is probably good to go, but shall await advice.
CC: (none) => tarazed25
Mercy me! Wrong bug for that last comment. Apologies.