Fedora has issued an advisory on March 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6OUXMOIV77VDB6PQ4K2ZRB44DQYYHIXW/ The issue is fixed upstream in 2.0.27. Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Fixed upstream in 2.0.27Whiteboard: (none) => MGA8TOO, MGA7TOO
Fedora has issued an advisory on March 29: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KWAIUFNIUCGS2IMGGDTWZIUIY7BNLGKF/ The issue is fixed upstream in 2.0.26.
Summary: jasper new security issue CVE-2021-3443 => jasper new security issues CVE-2021-3443 and CVE-2021-3467
Done for mga8 and mga7! Also for mingw-jasper for mga8!
RPMS: jasper-2.0.27-1.mga7 libjasper4-2.0.27-1.mga7 libjasper-devel-2.0.27-1.mga7 jasper-2.0.27-1.mga8 libjasper4-2.0.27-1.mga8 libjasper-devel-2.0.27-1.mga8 mingw32-jasper-2.0.27-1.mga8 mingw64-jasper-2.0.27-1.mga8 mingw32-jasper-static-2.0.27-1.mga8 mingw64-jasper-static-2.0.27-1.mga8 from SRPMS: jasper-2.0.27-1.mga7.src.rpm jasper-2.0.27-1.mga8.src.rpm mingw-jasper-2.0.27-1.mga8.src.rpm
CC: (none) => geiger.david68210Status comment: Fixed upstream in 2.0.27 => (none)Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOAssignee: geiger.david68210 => qa-bugs
Mageia 8 X64 KDE No installation issues rpm -q jasper: jasper-2.0.27-1.mga8 $ jasper --version 2.0.27 libjasper 2.0.25 $ jasper --help JasPer Transcoder (Version 2.0.27). Copyright (c) 2001-2006 Michael David Adams. Copyright (c) 1999-2000 Image Power, Inc. and the University of British Columbia. All rights reserved. For more information about this software, please visit the following web sites/pages: http://www.ece.uvic.ca/~mdadams/jasper http://www.jpeg.org/software To be added to the (moderated) JasPer software announcements mailing list, send an email to: jasper-announce-subscribe@yahoogroups.com To be added to the (unmoderated) JasPer software discussion mailing list, send an email to: jasper-discussion-subscribe@yahoogroups.com Please send any bug reports to: mdadams@ieee.org usage: jasper [options] The following options are supported: --help Print this help information and exit. --version Print version information and exit. --verbose Enable verbose mode. --debug-level $lev Set the debug level to $lev. --input $file Read the input image from the file named $file and more informations.. I tried to convert a .bmp file to .jpg with success. $ jasper -f exemple_sa1_tic.bmp --output exemple_sa1_tic.jpg --output-format jpg I've got warnings due to bmp but it's ok. Size results: exemple_sa1_tic.bmp = 2.5Mio exemple_sa1_tic.jpg = 96.7Kio imgcmp Command $ imgcmp --help Image Comparison Utility (Version 2.0.27). Copyright (c) 2001 Michael David Adams. All rights reserved. usage: imgcmp -f reference_image_file -F other_image_file [-m metric] The metric argument may assume one of the following values: psnr .... peak signal to noise ratio mse ..... mean squared error rmse .... root mean squared error pae ..... peak absolute error mae ..... mean absolute error equal ... equality (boolean) Seems to be ok for me.
CC: (none) => hdetavernier
Thanks Hugues and welcome to QA. Just following up with the mingw items and a PoC. Installed the four mingw packages, which drew in a stack of dependencies. Before updating: CVE-2021-3443 https://github.com/jasper-software/jasper/issues/269 $ jasper --output 1.jpg --input jasper_poc_v2.026 Segmentation fault (core dumped) Updated jasper and the mingw packages. $ jasper --output 1.jpg --input jasper_poc_v2.026 error: invalid component reference (3) error: cannot load image data <Good result> Clean update for the mingw packages. Don't know how to handle them so leaving them be. Giving this the OK on the basis of Hugues' tests.
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OKCC: (none) => tarazed25
mga7, x64 Before updates: CVE-2021-3467 https://github.com/jasper-software/jasper/issues/268 $ jasper --input poc.268 --output poc268.jp2 Segmentation fault (core dumped) CVE-2021-3443 https://github.com/jasper-software/jasper/issues/269 $ jasper --output 2.jpg --input jasper_poc_v2.026 Segmentation fault (core dumped) After updates: CVE-2021-3467 $ jasper --input poc.268 --output poc268.jp2 error: invalid component reference in CDEF box (3) error: cannot load image data CVE-2021-3443 $ jasper --output 2.jpg --input jasper_poc_v2.026 error: invalid component reference (3) error: cannot load image data Graceful exits in both cases, so issues have been detected and dealt with. Following Hugues' lead in comment 4: Bitmap formats: $ jasper -f test2.bmp --output test2.jpg --output-format jp2 $ file test2.jpg test2.jpg: JPEG 2000 Part 1 (JP2) $ jasper -f test2.bmp --output test2b.jpg --output-format jpg $ file test2b.jpg test2b.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 2552x1702, components 3 $ jasper -f GlenShiel.pnm --output glenshiel.jp2 $ file glenshiel.jp2 glenshiel.jp2: JPEG 2000 Part 1 (JP2) $ jasper -f Ikapati.pgm --output ikapati.jpg $ file ikapati.jpg ikapati.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 614x614, components 1 $ jasper -f mandrill.jp2 --output mandrill.ppm $ file mandrill.ppm mandrill.ppm: Netpbm image data, size = 256 x 256, rawbits, greymap $ eom mandrill.ppm displays correctly. Looks like jasper does not deal with png, tiff or vector formats. From $ jasper --help The following formats are supported: pnm Portable Graymap/Pixmap (PNM) bmp Microsoft Bitmap (BMP) ras Sun Rasterfile (RAS) jp2 JPEG-2000 JP2 File Format Syntax (ISO/IEC 15444-1) jpc JPEG-2000 Code Stream Syntax (ISO/IEC 15444-1) jpg JPEG (ISO/IEC 10918-1) pgx JPEG-2000 VM Format (PGX) $ jasper -f JessicaAlba.jpg --output jessica.pgx error: PGX format does not support color space error: cannot encode image $ convert -monochrome JessicaAlba.jpg jessica_grey.jpg $ jasper -f jessica_grey.jpg --output jessica.pgx $ display jessica.pgx displays correctly. Sending this on.
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory: ======================== Updated jasper packages fix security vulnerabilities: A NULL pointer dereference flaw was found in the way Jasper versions before 2.0.27 handled component references in the JP2 image format decoder. A specially crafted JP2 image file could cause an application using the Jasper library to crash when opened (CVE-2021-3443). A NULL pointer dereference flaw was found in the way Jasper versions before 2.0.26 handled component references in CDEF box in the JP2 image format decoder. A specially crafted JP2 image file could cause an application using the Jasper library to crash when opened (CVE-2021-3467). References: - https://bugs.mageia.org/show_bug.cgi?id=29017 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3443 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3467 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KWAIUFNIUCGS2IMGGDTWZIUIY7BNLGKF/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6OUXMOIV77VDB6PQ4K2ZRB44DQYYHIXW/ ======================== Updated package in 7/core/updates_testing: ======================== jasper-2.0.27-1.mga7 lib(64)jasper4-2.0.27-1.mga7 lib(64)jasper-devel-2.0.27-1.mga7 from SRPM: jasper-2.0.27-1.mga7.src.rpm Updated package in 8/core/updates_testing: ======================== jasper-2.0.27-1.mga8 lib(64)jasper4-2.0.27-1.mga8 lib(64)jasper-devel-2.0.27-1.mga8 mingw32-jasper-2.0.27-1.mga8 mingw64-jasper-2.0.27-1.mga8 mingw32-jasper-static-2.0.27-1.mga8 mingw64-jasper-static-2.0.27-1.mga8 from SRPMS: jasper-2.0.27-1.mga8.src.rpm mingw-jasper-2.0.27-1.mga8.src.rpm
CC: (none) => ouaurelien
CVE: (none) => CVE-2021-3443, CVE-2021-3467Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0249.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED