SUSE has issued an advisory today (May 26): http://lists.suse.com/pipermail/sle-security-updates/2020-May/006858.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOBlocks: (none) => 23168
Patched packages uploaded by David Geiger for Mageia 7 and Cauldron. Advisory: ======================== Updated jasper packages fix security vulnerability: There is a reachable abort in the function jpc_dec_process_sot in libjasper/jpc/jpc_dec.c of JasPer 2.0.14 that will lead to a remote denial of service attack (CVE-2018-9154). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9154 http://lists.suse.com/pipermail/sle-security-updates/2020-May/006858.html ======================== Updated packages in core/updates_testing: ======================== jasper-2.0.14-4.2.mga7 libjasper4-2.0.14-4.2.mga7 libjasper-devel-2.0.14-4.2.mga7 from jasper-2.0.14-4.2.mga7.src.rpm
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)CC: (none) => geiger.david68210Assignee: bugsquad => qa-bugs
mga7, x86_64 Pre-update: $ rpm -qa | grep jasper lib64jasper-devel-2.0.14-4.1.mga7 jasper-2.0.14-4.1.mga7 lib64jasper4-2.0.14-4.1.mga7 CVE-2018-9154 https://bugzilla.suse.com/show_bug.cgi?id=1092115 $ jasper --input jasper_POC --output-format jp2 warning: trailing garbage in marker segment (1 bytes) warning: trailing garbage in marker segment (23 bytes) Aborted (core dumped) Updated the jasper packages. $ jasper --input jasper_POC --output-format jp2 warning: trailing garbage in marker segment (1 bytes) warning: trailing garbage in marker segment (23 bytes) error: cannot load image data That looks satisfactory. Continuing later.
CC: (none) => tarazed25
A few utility tests on jpeg-2000 images. $ jasper -t pnm -f glenshiel.pnm -T jp2 -F greyvale.jp2 $ ll glen* grey* -rw-r--r-- 1 lcl lcl 3981359 Jun 9 2018 glenshiel.pnm -rw-r--r-- 1 lcl lcl 1868125 May 28 11:12 greyvale.jp2 greyvale2.jp2 displays as a perfect greyscale version of the original image. $ imginfo -f greyvale.jp2 jp2 1 2304 1728 8 3981312 The size differs from the file size, possibly because the header size is not included. Compare: $ identify greyvale.jp2 greyvale.jp2 JP2 2304x1728 2304x1728+0+0 8-bit Grayscale Gray 0.000u 0:00.000 $ jasper -f sail.j2k -F sail.bmp -T bmp lcl@difda:jasper $ imginfo -f sail.bmp THE BMP FORMAT IS NOT FULLY SUPPORTED! THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA. IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD. bmp 3 640 480 8 921600 Nothing new there. Using jasper to try to convert to PNM format fails also, as in the past. $ file ht2jk.jpg ht2jk.jpg: JPEG image data, JFIF standard 1.01.......... $ jasper -f ht2jk.jpg -t jpg -T pnm > ht2jk.pnm $ imginfo -f ht2jk.pnm pnm 3 2816 558 8 4713984 Displays correctly. No regressions, supported conversions work, so this is good.
Whiteboard: (none) => MGA7-64-OK
Validating Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => mageiaKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0241.html
Status: NEW => RESOLVEDResolution: (none) => FIXED