UbuntuUpdates.org

Package "jasper"

Name: jasper

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Development files for the JasPer JPEG-2000 library
  • JasPer JPEG-2000 runtime library

Latest version: 1.900.1-14ubuntu3.5
Release: trusty (14.04)
Level: security
Repository: main

Links



Other versions of "jasper" in Trusty

Repository Area Version
base main 0.69
security universe 1.900.1-14ubuntu3.5
updates universe 1.900.1-14ubuntu3.5
updates main 1.900.1-14ubuntu3.5

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.900.1-14ubuntu3.5 2018-06-27 19:06:52 UTC

  jasper (1.900.1-14ubuntu3.5) trusty-security; urgency=medium

  * SECURITY UPDATE: double-free in jasper_image_stop_load
    - debian/patches/CVE-2015-5203-CVE-2016-9262.patch: fix overflow and
      double free in src/libjasper/base/jas_image.c,
      src/libjasper/include/jasper/jas_math.h.
      (Thanks to Red Hat for the patch!)
    - CVE-2015-5203
  * SECURITY UPDATE: use-after-free in mif_process_cmpt
    - debian/patches/CVE-2015-5221.patch: fix use-after-free in
      src/libjasper/mif/mif_cod.c.
    - CVE-2015-5221
  * SECURITY UPDATE: denial of service in jpc_tsfb_synthesize
    - debian/patches/CVE-2016-10248.patch: fix type promotion and prevent
      null pointer dereference in src/libjasper/include/jasper/jas_seq.h,
      src/libjasper/jpc/jpc_dec.c, src/libjasper/jpc/jpc_tsfb.c.
    - CVE-2016-10248
  * SECURITY UPDATE: denial of service in jp2_colr_destroy
    - debian/patches/CVE-2016-10250.patch: fix cleanup in
      src/libjasper/jp2/jp2_cod.c.
    - CVE-2016-10250
  * SECURITY UPDATE: denial of service in jpc_dec_tiledecode
    - debian/patches/CVE-2016-8883.patch: remove asserts in
      src/libjasper/jpc/jpc_dec.c.
    - CVE-2016-8883
  * SECURITY UPDATE: denial of service in jp2_colr_destroy
    - debian/patches/CVE-2016-8887.patch: don't destroy box that doesn't
      exist in src/libjasper/jp2/jp2_cod.c, src/libjasper/jp2/jp2_dec.c.
    - CVE-2016-8887
  * SECURITY UPDATE: integer overflow in jpc_dec_process_siz
    - debian/patches/CVE-2016-9387-1.patch: fix overflow in
      src/libjasper/jpc/jpc_dec.c.
    - debian/patches/CVE-2016-9387-2.patch: add more checks to
      src/libjasper/jpc/jpc_dec.c.
    - CVE-2016-9387
  * SECURITY UPDATE: denial of service in ras_getcmap
    - debian/patches/CVE-2016-9388.patch: remove assertions in
      src/libjasper/ras/ras_dec.c, src/libjasper/ras/ras_enc.c.
    - CVE-2016-9388
  * SECURITY UPDATE: denial of service in jpc_irct and jpc_iict functions
    - debian/patches/CVE-2016-9389.patch: add check to
      src/libjasper/base/jas_image.c, src/libjasper/jpc/jpc_dec.c,
      src/libjasper/include/jasper/jas_image.h.
    - CVE-2016-9389
  * SECURITY UPDATE: denial of service in jas_seq2d_create
    - debian/patches/CVE-2016-9390.patch: check tiles in
      src/libjasper/jpc/jpc_cs.c.
    - CVE-2016-9390
  * SECURITY UPDATE: denial of service in jpc_bitstream_getbits
    - debian/patches/CVE-2016-9391.patch: add tests to
      src/libjasper/jpc/jpc_bs.c, src/libjasper/jpc/jpc_cs.c.
    - CVE-2016-9391
  * SECURITY UPDATE: multiple denial of service issues
    - debian/patches/CVE-2016-9392-3-4.patch: add more checks to
      src/libjasper/jpc/jpc_cs.c.
    - CVE-2016-9392
    - CVE-2016-9393
    - CVE-2016-9394
  * SECURITY UPDATE: denial of service in JPC_NOMINALGAIN
    - debian/patches/CVE-2016-9396.patch: add check to
      src/libjasper/jpc/jpc_cs.c.
    - CVE-2016-9396
  * SECURITY UPDATE: denial of service via crafted image
    - debian/patches/CVE-2016-9600.patch: add more checks to
      src/libjasper/jp2/jp2_enc.c.
    - CVE-2016-9600
  * SECURITY UPDATE: NULL pointer exception in jp2_encode
    - debian/patches/CVE-2017-1000050.patch: check number of components in
      src/libjasper/jp2/jp2_enc.c.
    - CVE-2017-1000050
  * SECURITY UPDATE: denial of service in jp2_cdef_destroy
    - debian/patches/CVE-2017-6850.patch: initialize data in
      src/libjasper/base/jas_stream.c, src/libjasper/jp2/jp2_cod.c.
    - CVE-2017-6850

 -- Marc Deslauriers <email address hidden> Wed, 27 Jun 2018 11:04:48 -0400

Source diff to previous version
CVE-2015-5203 Double free vulnerability in the jasper_image_stop_load function in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via
CVE-2016-9262 Multiple integer overflows in the (1) jas_realloc function in base/jas_malloc.c and (2) mem_resize function in base/jas_stream.c in JasPer before 1.9
CVE-2015-5221 Use-after-free vulnerability in the mif_process_cmpt function in libjasper/mif/mif_cod.c in the JasPer JPEG-2000 library before 1.900.2 allows remote
CVE-2016-10248 The jpc_tsfb_synthesize function in jpc_tsfb.c in JasPer before 1.900.9 allows remote attackers to cause a denial of service (NULL pointer dereferenc
CVE-2016-10250 The jp2_colr_destroy function in jp2_cod.c in JasPer before 1.900.13 allows remote attackers to cause a denial of service (NULL pointer dereference)
CVE-2016-8883 The jpc_dec_tiledecode function in jpc_dec.c in JasPer before 1.900.8 allows remote attackers to cause a denial of service (assertion failure) via a
CVE-2016-8887 The jp2_colr_destroy function in libjasper/jp2/jp2_cod.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (NULL pointer
CVE-2016-9387 Integer overflow in the jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.13 allows remote attackers to have unspecified
CVE-2016-9388 The ras_getcmap function in ras_dec.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a crafte
CVE-2016-9389 The jpc_irct and jpc_iict functions in jpc_mct.c in JasPer before 1.900.14 allow remote attackers to cause a denial of service (assertion failure).
CVE-2016-9390 The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a c
CVE-2016-9391 The jpc_bitstream_getbits function in jpc_bs.c in JasPer before 2.0.10 allows remote attackers to cause a denial of service (assertion failure) via a
CVE-2016-9392 The calcstepsizes function in jpc_dec.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a craf
CVE-2016-9393 The jpc_pi_nextrpcl function in jpc_t2cod.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a
CVE-2016-9394 The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a c
CVE-2016-9396 The JPC_NOMINALGAIN function in jpc/jpc_t1cod.c in JasPer through 2.0.12 allows remote attackers to cause a denial of service (JPC_COX_RFT assertion
CVE-2016-9600 JasPer before version 2.0.10 is vulnerable to a null pointer dereference was found in the decoded creation of JPEG 2000 image files. A specially craf
CVE-2017-1000050 JasPer 2.0.12 is vulnerable to a NULL pointer exception in the function jp2_encode which failed to check to see if the image contained at least one c
CVE-2017-6850 The jp2_cdef_destroy function in jp2_cod.c in JasPer before 2.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) vi

Version: 1.900.1-14ubuntu3.4 2017-05-18 18:06:42 UTC

  jasper (1.900.1-14ubuntu3.4) trusty-security; urgency=medium

  * SECURITY UPDATE: multiple security issues
    - debian/patches/*: synchronize security fixes with Debian's
      1.900.1-debian1-2.4+deb8u3 release. Thanks!
    - CVE-2016-1867, CVE-2016-2089, CVE-2016-8654, CVE-2016-8691,
      CVE-2016-8692, CVE-2016-8693, CVE-2016-8882, CVE-2016-9560,
      CVE-2016-9591, CVE-2016-10249, CVE-2016-10251

 -- Marc Deslauriers <email address hidden> Thu, 18 May 2017 10:42:09 -0400

Source diff to previous version
CVE-2016-1867 The jpc_pi_nextcprl function in JasPer 1.900.1 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a
CVE-2016-2089 The jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows remote attackers to cause a denial of service (invalid read and application crash)
CVE-2016-8654 Heap-based buffer overflow in QMFB code in JPC codec
CVE-2016-8691 The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-
CVE-2016-8692 The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-
CVE-2016-8693 Double free vulnerability in the mem_close function in jas_stream.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (c
CVE-2016-8882 The jpc_dec_tilefini function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.8 allows remote attackers to cause a denial of service (NULL pointer
CVE-2016-9560 Stack-based buffer overflow in the jpc_tsfb_getbands2 function in jpc_tsfb.c in JasPer before 1.900.30 allows remote attackers to have unspecified im
CVE-2016-9591 Use-after-free on heap in jas_matrix_destroy
CVE-2016-1024 Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to
CVE-2016-1025 Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to

Version: 1.900.1-14ubuntu3.3 2016-03-03 15:07:44 UTC

  jasper (1.900.1-14ubuntu3.3) trusty-security; urgency=medium

  * SECURITY UPDATE: Denial of service or possible code execution via crafted
    ICC color profile (LP: #1547865)
    - debian/patches/09-CVE-2016-1577.patch: Prevent double-free in
      src/libjasper/base/jas_icc.c
    - CVE-2016-1577
  * SECURITY UPDATE: Denial of service via resource exhaustion via crafted ICC
    color profile
    - debian/patches/10-CVE-2016-2116.patch: Prevent memory leak in
      src/libjasper/base/jas_icc.c
    - CVE-2016-2116

 -- Tyler Hicks <email address hidden> Fri, 26 Feb 2016 00:07:11 -0600

Source diff to previous version
1547865 Double free in libjasper jas_icc.c
CVE-2016-1577 double free vulnerability in the jas_iccattrval_destroy function
CVE-2016-2116 memory leak in the jas_iccprof_createfrombuf function

Version: 1.900.1-14ubuntu3.2 2015-01-26 14:06:21 UTC

  jasper (1.900.1-14ubuntu3.2) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via crafted ICC color profile
    - debian/patches/05-CVE-2014-8137.patch: prevent double-free in
      src/libjasper/base/jas_icc.c, remove assert in
      src/libjasper/jp2/jp2_dec.c.
    - CVE-2014-8137
  * SECURITY UPDATE: denial of service or code execution via invalid
    channel number
    - debian/patches/06-CVE-2014-8138.patch: validate channel number in
      src/libjasper/jp2/jp2_dec.c.
    - CVE-2014-8138
  * SECURITY UPDATE: denial of service or code execution via off-by-one
    - debian/patches/07-CVE-2014-8157.patch: fix off-by-one in
      src/libjasper/jpc/jpc_dec.c.
    - CVE-2014-8157
  * SECURITY UPDATE: denial of service or code execution via memory
    corruption
    - debian/patches/08-CVE-2014-8158.patch: remove HAVE_VLA to use more
      sensible buffer sizes in src/libjasper/jpc/jpc_qmfb.c.
    - CVE-2014-8158
 -- Marc Deslauriers <email address hidden> Thu, 22 Jan 2015 13:00:10 -0500

Source diff to previous version
CVE-2014-8137 Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (
CVE-2014-8138 Heap-based buffer overflow in the jp2_decode function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or p
CVE-2014-8157 off-by-one heap buffer overflow
CVE-2014-8158 stack overflow

Version: 1.900.1-14ubuntu3.1 2014-12-08 15:06:24 UTC

  jasper (1.900.1-14ubuntu3.1) trusty-security; urgency=medium

  * SECURITY UPDATE: heap overflows via crafted jp2 file
    - debian/patches/04-CVE-2014-9029.patch: fix off-by-one in
      src/libjasper/jpc/jpc_dec.c.
    - CVE-2014-9029
 -- Marc Deslauriers <email address hidden> Fri, 05 Dec 2014 09:01:05 -0500

CVE-2014-9029 input sanitization errors



About   -   Send Feedback to @ubuntu_updates