-
jasper (1.900.1-14ubuntu3.5) trusty-security; urgency=medium
* SECURITY UPDATE: double-free in jasper_image_stop_load
- debian/patches/CVE-2015-5203-CVE-2016-9262.patch: fix overflow and
double free in src/libjasper/base/jas_image.c,
src/libjasper/include/jasper/jas_math.h.
(Thanks to Red Hat for the patch!)
- CVE-2015-5203
* SECURITY UPDATE: use-after-free in mif_process_cmpt
- debian/patches/CVE-2015-5221.patch: fix use-after-free in
src/libjasper/mif/mif_cod.c.
- CVE-2015-5221
* SECURITY UPDATE: denial of service in jpc_tsfb_synthesize
- debian/patches/CVE-2016-10248.patch: fix type promotion and prevent
null pointer dereference in src/libjasper/include/jasper/jas_seq.h,
src/libjasper/jpc/jpc_dec.c, src/libjasper/jpc/jpc_tsfb.c.
- CVE-2016-10248
* SECURITY UPDATE: denial of service in jp2_colr_destroy
- debian/patches/CVE-2016-10250.patch: fix cleanup in
src/libjasper/jp2/jp2_cod.c.
- CVE-2016-10250
* SECURITY UPDATE: denial of service in jpc_dec_tiledecode
- debian/patches/CVE-2016-8883.patch: remove asserts in
src/libjasper/jpc/jpc_dec.c.
- CVE-2016-8883
* SECURITY UPDATE: denial of service in jp2_colr_destroy
- debian/patches/CVE-2016-8887.patch: don't destroy box that doesn't
exist in src/libjasper/jp2/jp2_cod.c, src/libjasper/jp2/jp2_dec.c.
- CVE-2016-8887
* SECURITY UPDATE: integer overflow in jpc_dec_process_siz
- debian/patches/CVE-2016-9387-1.patch: fix overflow in
src/libjasper/jpc/jpc_dec.c.
- debian/patches/CVE-2016-9387-2.patch: add more checks to
src/libjasper/jpc/jpc_dec.c.
- CVE-2016-9387
* SECURITY UPDATE: denial of service in ras_getcmap
- debian/patches/CVE-2016-9388.patch: remove assertions in
src/libjasper/ras/ras_dec.c, src/libjasper/ras/ras_enc.c.
- CVE-2016-9388
* SECURITY UPDATE: denial of service in jpc_irct and jpc_iict functions
- debian/patches/CVE-2016-9389.patch: add check to
src/libjasper/base/jas_image.c, src/libjasper/jpc/jpc_dec.c,
src/libjasper/include/jasper/jas_image.h.
- CVE-2016-9389
* SECURITY UPDATE: denial of service in jas_seq2d_create
- debian/patches/CVE-2016-9390.patch: check tiles in
src/libjasper/jpc/jpc_cs.c.
- CVE-2016-9390
* SECURITY UPDATE: denial of service in jpc_bitstream_getbits
- debian/patches/CVE-2016-9391.patch: add tests to
src/libjasper/jpc/jpc_bs.c, src/libjasper/jpc/jpc_cs.c.
- CVE-2016-9391
* SECURITY UPDATE: multiple denial of service issues
- debian/patches/CVE-2016-9392-3-4.patch: add more checks to
src/libjasper/jpc/jpc_cs.c.
- CVE-2016-9392
- CVE-2016-9393
- CVE-2016-9394
* SECURITY UPDATE: denial of service in JPC_NOMINALGAIN
- debian/patches/CVE-2016-9396.patch: add check to
src/libjasper/jpc/jpc_cs.c.
- CVE-2016-9396
* SECURITY UPDATE: denial of service via crafted image
- debian/patches/CVE-2016-9600.patch: add more checks to
src/libjasper/jp2/jp2_enc.c.
- CVE-2016-9600
* SECURITY UPDATE: NULL pointer exception in jp2_encode
- debian/patches/CVE-2017-1000050.patch: check number of components in
src/libjasper/jp2/jp2_enc.c.
- CVE-2017-1000050
* SECURITY UPDATE: denial of service in jp2_cdef_destroy
- debian/patches/CVE-2017-6850.patch: initialize data in
src/libjasper/base/jas_stream.c, src/libjasper/jp2/jp2_cod.c.
- CVE-2017-6850
-- Marc Deslauriers <email address hidden> Wed, 27 Jun 2018 11:04:48 -0400
-
jasper (1.900.1-14ubuntu3.4) trusty-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/*: synchronize security fixes with Debian's
1.900.1-debian1-2.4+deb8u3 release. Thanks!
- CVE-2016-1867, CVE-2016-2089, CVE-2016-8654, CVE-2016-8691,
CVE-2016-8692, CVE-2016-8693, CVE-2016-8882, CVE-2016-9560,
CVE-2016-9591, CVE-2016-10249, CVE-2016-10251
-- Marc Deslauriers <email address hidden> Thu, 18 May 2017 10:42:09 -0400
-
jasper (1.900.1-14ubuntu3.3) trusty-security; urgency=medium
* SECURITY UPDATE: Denial of service or possible code execution via crafted
ICC color profile (LP: #1547865)
- debian/patches/09-CVE-2016-1577.patch: Prevent double-free in
src/libjasper/base/jas_icc.c
- CVE-2016-1577
* SECURITY UPDATE: Denial of service via resource exhaustion via crafted ICC
color profile
- debian/patches/10-CVE-2016-2116.patch: Prevent memory leak in
src/libjasper/base/jas_icc.c
- CVE-2016-2116
-- Tyler Hicks <email address hidden> Fri, 26 Feb 2016 00:07:11 -0600
-
jasper (1.900.1-14ubuntu3.2) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via crafted ICC color profile
- debian/patches/05-CVE-2014-8137.patch: prevent double-free in
src/libjasper/base/jas_icc.c, remove assert in
src/libjasper/jp2/jp2_dec.c.
- CVE-2014-8137
* SECURITY UPDATE: denial of service or code execution via invalid
channel number
- debian/patches/06-CVE-2014-8138.patch: validate channel number in
src/libjasper/jp2/jp2_dec.c.
- CVE-2014-8138
* SECURITY UPDATE: denial of service or code execution via off-by-one
- debian/patches/07-CVE-2014-8157.patch: fix off-by-one in
src/libjasper/jpc/jpc_dec.c.
- CVE-2014-8157
* SECURITY UPDATE: denial of service or code execution via memory
corruption
- debian/patches/08-CVE-2014-8158.patch: remove HAVE_VLA to use more
sensible buffer sizes in src/libjasper/jpc/jpc_qmfb.c.
- CVE-2014-8158
-- Marc Deslauriers <email address hidden> Thu, 22 Jan 2015 13:00:10 -0500
-
jasper (1.900.1-14ubuntu3.1) trusty-security; urgency=medium
* SECURITY UPDATE: heap overflows via crafted jp2 file
- debian/patches/04-CVE-2014-9029.patch: fix off-by-one in
src/libjasper/jpc/jpc_dec.c.
- CVE-2014-9029
-- Marc Deslauriers <email address hidden> Fri, 05 Dec 2014 09:01:05 -0500
-
jasper (1.900.1-14ubuntu3) trusty; urgency=low
* Build using dh-autoreconf.
-- Matthias Klose <email address hidden> Fri, 06 Dec 2013 15:37:06 +0100
-
jasper (1.900.1-14ubuntu2) trusty; urgency=low
* Build using dh-autoreconf.
-- Matthias Klose <email address hidden> Fri, 06 Dec 2013 15:37:06 +0100
-
jasper (1.900.1-14ubuntu1) trusty; urgency=low
* Build using dh-autoreconf.
-- Matthias Klose <email address hidden> Fri, 06 Dec 2013 15:37:06 +0100
-
jasper (1.900.1-14) unstable; urgency=low
* Fix FTBFS on Hurd by defining PATH_MAX (Closes: #690298)
Thanks to Pino Toscano!
-- Roland Stigge <email address hidden> Sat, 13 Oct 2012 18:06:57 +0200