SUSE has issued an advisory on April 23: https://lwn.net/Articles/970881/ The problem is fixed in version 4.2.3 or with the following commit: https://github.com/jasper-software/jasper/commit/6d084c53a77762f41bb5310713a5f1872fef55f5 Mageia 9 is also affected.
Whiteboard: (none) => MGA9TOOSource RPM: (none) => jasper-4.2.1-1.mga10.src.rpmStatus comment: (none) => Fixed upstream in 4.2.3 and patch available from upstreamCVE: (none) => CVE-2024-31744
Assigning to DavidG as you put up jasper v4.2.1, and generally maintain it.
Assignee: bugsquad => geiger.david68210
Assigning to QA, Packages in 9/Core/Updates_testing: ====================== jasper-3.0.6-1.1.mga9 libjasper-devel-3.0.6-1.1.mga9 libjasper6-3.0.6-1.1.mga9 lib64jasper-devel-3.0.6-1.1.mga9 lib64jasper6-3.0.6-1.1.mga9 From SRPMS: jasper-3.0.6-1.1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Version: Cauldron => 9Assignee: geiger.david68210 => qa-bugs
Keywords: (none) => advisory
RH mageia 9 x86_64 Download the poc from https://github.com/jasper-software/jasper/issues/381 Extract the file Run the command jasper --input-format png --input-option verbose=true --output-format jp2 --output-option quality=90 --input poc --output /tmp/file0.jp2 warning: ignoring invalid input format png warning: ignoring invalid option verbose warning: trailing garbage in marker segment (6 bytes) warning: ignoring unknown marker segment (0xff67) warning: trailing garbage in marker segment (32 bytes) warning: not enough tile data (7 bytes) jasper: /home/iurt/rpmbuild/BUILD/jasper-3.0.6/src/libjasper/jpc/jpc_dec.c:2407: jpc_streamlist_remove: Assertion `streamno < streamlist->numstreams' failed. Abortado (`core' generado) LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing lib64jasper6-3.0.6-1.1.mga9.x86_64.rpm jasper-3.0.6-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: lib64jasper6 ################################################################################################## 2/2: jasper ################################################################################################## 1/2: removing jasper-3.0.6-1.mga9.x86_64 ################################################################################################## 2/2: removing lib64jasper6-3.0.6-1.mga9.x86_64 ################################################################################################## jasper --input-format png --input-option verbose=true --output-format jp2 --output-option quality=90 --input poc --output /tmp/file0.jp2 warning: ignoring invalid input format png warning: ignoring invalid option verbose warning: trailing garbage in marker segment (6 bytes) warning: ignoring unknown marker segment (0xff67) warning: trailing garbage in marker segment (32 bytes) warning: not enough tile data (7 bytes) alignment failed jpc_dec_decodepkt failed jpc_dec_decodepkts failed jas_image_decode: decode operation failed error: cannot load image data
CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
This was pushed to updates while Bugzilla was down. https://advisories.mageia.org/MGASA-2024-0144.html
Resolution: (none) => FIXEDCC: (none) => danStatus: NEW => RESOLVED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0144.html