The newest version of jasper in MDV 2010.2 updates is jasper-1.900.1-12.1mdv2010.2 which since it was imported in mga1 contains multiarch fixes which may be relevant: http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/jasper/current/SPECS/jasper.spec?r1=606067&r2=661673 as well as the security update: http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/jasper/current/SPECS/jasper.spec?r1=740106&r2=742028 Here is the package changelog from the update: * Fri Dec 16 2011 Oden Eriksson <oeriksson@mandriva.com> 1.900.1-12.1 - P8: security fixes for CVE-2011-4516, CVE-2011-4517 (CERT VU#887409) - P10 - P16: fixes various errors found by static analysis of code (coverity) - P3, P4, P5, P6 now replaces the ubuntu patch (P0) which fixed the same issues (CVE-2007-2721, CVE-2008-3520, CVE-2008-3521, CVE-2008-3522) and the advisory: http://lists.mandriva.com/security-announce/2011-12/msg00014.php
multiarch changes are because rpm5 doesn't work exactly the same way as us ( rpm.org ). I will look for the sec issue.
Status: NEW => ASSIGNEDCC: (none) => dmorganec
Please test new package ( in update_testing )
Status: ASSIGNED => NEWAssignee: bugsquad => qa-bugs
Just a note to QA, the only thing jasper is used for in Mageia is it is used by Kopete for viewing a webcam through the Yahoo! protocol. I don't think I can test this functionality, but that's what's needed to verify that it works.
Testing complete on i586 for the srpm jasper-1.900.1-11.1.mga1.src.rpm Running under strace confirms simply viewing my on webcam in the configure/video section calls /usr/lib/libjasper.so.1, so I think this is adequate for testing purposes.
CC: (none) => davidwhodgins
(In reply to comment #4) > > Running under strace confirms simply viewing my on webcam in the > configure/video section calls /usr/lib/libjasper.so.1, so I think > this is adequate for testing purposes. Tested complete the srpm jasper-1.900.1-11.1.mga1.src.rpm on Mageia release 1 (Official) for x86_64.
CC: (none) => geiger.david68210
Validating Advisory: ======================== Updated jasper packages fix security vulnerabilities: Heap-based buffer overflow in the jpc_cox_getcompparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted numrlvls value in a JPEG2000 file (CVE-2011-4516). The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1 uses an incorrect data type during a certain size calculation, which allows remote attackers to trigger a heap-based buffer overflow and execute arbitrary code, or cause a denial of service (heap memory corruption), via a malformed JPEG2000 file (CVE-2011-4517). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:189 ======================== Updated packages in core/updates_testing: ======================== jasper-1.900.1-11.1.mga1 libjasper-devel-1.900.1-11.1.mga1 libjasper-static-devel-1.900.1-11.1.mga1 libjasper1-1.900.1-11.1.mga1 from jasper-1.900.1-11.1.mga1.src.rpm ======================== Could sysadmin please push from core/updates_testing to core/updates Thank you!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
Update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED