(In reply to David Walser from comment #0)
> Fedora has issued an advisory on September 12:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/DLYNZDATEV2SVZGDDZDHN7AVYKTNQLDA/
> 
> It's not clear if versions older than 3.0.x are affected.

Assigning to the registered maintainer

Assignee: bugsquad => mageia
CC: (none) => marja11

openSUSE has issued an advisory for this on October 20:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AJX2RAKJDKVPUGJDMIPOC5U4GLJOZOSU/

2.0.x is affected.

Whiteboard: (none) => MGA8TOO
Summary: jasper possible new security issue CVE-2022-2963 => jasper new security issue CVE-2022-2963
Status comment: (none) => Patch available from openSUSE

Hi,

For Cauldron, jasper-3.0.6-1.mga9 solves that issue.

Best regards,

Nico.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero

Suggested advisory:
========================

The updated packages fix a security vulnerability:

A vulnerability found in jasper. This security vulnerability happens because of a memory leak bug in function cmdopts_parse that can cause a crash or segmentation fault. (CVE-2022-2963)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2963
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DLYNZDATEV2SVZGDDZDHN7AVYKTNQLDA/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AJX2RAKJDKVPUGJDMIPOC5U4GLJOZOSU/
========================

Updated packages in core/updates_testing:
========================
jasper-2.0.27-1.1.mga8
lib(64)jasper4-2.0.27-1.1.mga8
lib(64)jasper-devel-2.0.27-1.1.mga8

from SRPM:
jasper-2.0.27-1.1.mga8.src.rpm

Assignee: mageia => qa-bugs
Status: NEW => ASSIGNED
Source RPM: jasper-2.0.33-1.mga9.src.rpm => jasper-2.0.27-1.mga8.src.rpm
Status comment: Patch available from openSUSE => (none)
CVE: (none) => CVE-2022-2963

mga8, x64

CVE-2022-2963:
https://github.com/jasper-software/jasper/issues/332
PoC file = input_file
$ file input_file
input_file: JPEG 2000 Part 1 (JP2)

$ valgrind --show-reachable=yes /usr/bin/jasper --input input_file --output /dev/null --output-format
==3596521== Memcheck, a memory error detector
==3596521== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3596521== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==3596521== Command: /usr/bin/jasper --input input_file --output /dev/null --output-format
==3596521== 
missing argument for option --output-format
For more information on how to use this command, type:
    jasper --help
==3596521== 
==3596521== HEAP SUMMARY:
==3596521==     in use at exit: 8,288 bytes in 1 blocks
==3596521==   total heap usage: 28 allocs, 27 frees, 8,641 bytes allocated
==3596521== 
==3596521== LEAK SUMMARY:
==3596521==    definitely lost: 0 bytes in 0 blocks
==3596521==    indirectly lost: 0 bytes in 0 blocks
==3596521==      possibly lost: 0 bytes in 0 blocks
==3596521==    still reachable: 8,288 bytes in 1 blocks
==3596521==         suppressed: 0 bytes in 0 blocks
==3596521== Rerun with --leak-check=full to see details of leaked memory
==3596521== 
==3596521== For lists of detected and suppressed errors, rerun with: -s
==3596521== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

This differs from the published result in one detail; 8641 bytes allocated.
Not sure if that demonstrated the bug or not.

Preliminary test:
$ jasper --input ht2jk.jpg --output-format jp2 --output riverpan2.jpg
$ file riverpan2.jpg
riverpan2.jpg: JPEG 2000 Part 1 (JP2)

That displayed properly with ImageMagick.

Updated the three packages.
$ valgrind --show-reachable=yes /usr/bin/jasper --input input_file --output /dev/null --output-format
==3606149== Memcheck, a memory error detector
==3606149== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3606149== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==3606149== Command: /usr/bin/jasper --input input_file --output /dev/null --output-format
==3606149== 
missing argument for option --output-format
For more information on how to use this command, type:
    jasper --help
==3606149== 
==3606149== HEAP SUMMARY:
==3606149==     in use at exit: 0 bytes in 0 blocks
==3606149==   total heap usage: 28 allocs, 28 frees, 8,641 bytes allocated
==3606149== 
==3606149== All heap blocks were freed -- no leaks are possible
==3606149== 
==3606149== For lists of detected and suppressed errors, rerun with: -s
==3606149== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

That looks like a positive result so patch is successful.
As before:
$ jasper --input ht2jk.jpg --output-format jp2 --output riverpan2.jpg
Output file looks fine.
And repeating tests from an earlier bug:
$ imginfo -f riverpan2.jpg
jp2 3 2816 558 8 4713984
$ jasper -f sail.j2k -F sail2.bmp -T bmp
sail2.bmp is good in ImageMagick.
$ imginfo -f sail2.bmp
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.
bmp 3 640 480 8 921600

But it does give a result.
$ convert sail2.bmp sail2.ppm
lcl@canopus:jasper $ imginfo -f sail2.ppm
pnm 3 640 480 8 921600

No regressions with these simple tests so this can be sent on.

CC: (none) => tarazed25

Hmm.  Having reservations about this.  That last operation should have been:
$ jasper -f sail.j2k -F sail3.ppm -T pnm
$ file sail3.ppm
sail3.ppm: Netpbm image data, size = 640 x 480, rawbits, pixmap
$ display sail3.ppm
OK

imginfo hangs, so there may be a regression there.  Tried the conversion again but the hangup occurred again.  It hangs also when run from valgrind.
==3622065== Process terminating with default action of signal 2 (SIGINT)
==3622065==    at 0x49B0BFE: read (in /usr/lib64/libc-2.32.so)
==3622065==    by 0x488FE3C: ??? (in /usr/lib64/libjasper.so.4.0.0)
==3622065==    by 0x489053E: jas_stream_fillbuf (in /usr/lib64/libjasper.so.4.0.0)
==3622065==    by 0x48907C5: jas_stream_read (in /usr/lib64/libjasper.so.4.0.0)
==3622065==    by 0x4890854: jas_stream_peek (in /usr/lib64/libjasper.so.4.0.0)
==3622065==    by 0x48B3A52: pnm_validate (in /usr/lib64/libjasper.so.4.0.0)
==3622065==    by 0x488D77D: jas_image_getfmt (in /usr/lib64/libjasper.so.4.0.0)
==3622065==    by 0x40135D: main (in /usr/bin/imginfo)
 
Pushing this back to Nicolas and removing the OK.

Whiteboard: MGA8-64-OK => (none)

Oh no.  Senile dementia.
$ jasper -f sail.j2k -F sail4.ppm -T pnm
$ file sail4.pnm
sail4.pnm: cannot open `sail4.pnm' (No such file or directory)
$ file sail4.ppm
sail4.ppm: Netpbm image data, size = 640 x 480, rawbits, pixmap
$ imginfo -f sail4.ppm
pnm 3 640 480 8 921600

Apologies.

Whiteboard: (none) => MGA8-64-OK

No need to apologize, Len. 

Validating.Advisory in comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0091.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED