FS#46056 : [jasper] CVE-2015-5203: double-free vulnerability

FS#46056 - [jasper] CVE-2015-5203: double-free vulnerability

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Friday, 21 August 2015, 15:13 GMT
Last edited by Levente Polyak (anthraxx) - Wednesday, 23 November 2016, 12:51 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Eric Belanger (Snowman) Levente Polyak (anthraxx)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Hi,

A double-free has been found [1][2] in jasper, and our version 1.900.1-13 is vulnerable. It does not seem that this library is actively maintained, but a patch has been provided [3] on the oss-sec mailing list. IMHO it would be nice to backport it.

[1]: http://www.openwall.com/lists/oss-security/2015/08/16/2
[2]: http://www.openwall.com/lists/oss-security/2015/08/21/4
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=1254242#c3

This task depends upon

Closed by Levente Polyak (anthraxx)
Wednesday, 23 November 2016, 12:51 GMT
Reason for closing: Fixed
Additional comments about closing: jasper-1.900.31-1 (currently in testing)

Comment by Remi Gacogne (rgacogne) - Friday, 21 August 2015, 15:14 GMT

Looks like a new issue has been found, no patch so far: http://www.openwall.com/lists/oss-security/2015/08/20/4

Comment by Eric Belanger (Snowman) - Saturday, 22 August 2015, 00:17 GMT

CVE-2015-5203 is fixed in jasper-1.900.1-14. I'll close this bug when the latest issue will be fixed once a patch is out.

Comment by Jan de Groot (JGC) - Wednesday, 04 May 2016, 10:12 GMT

Patch has been reverted in -15 because it breaks public ABI/API.

Other distributions don't have any intentions to fix CVE 2015-5203, so far no patch for 2015-5221, so we might want to close this as WONTFIX.

Comment by Levente Polyak (anthraxx) - Wednesday, 04 May 2016, 11:28 GMT

if it doesn't hurt too much, we in the sec team would like to keep this bug open for tracking. We want to look into this if we can fix it in a way that works for everyone without regression.
If we gave up or loose interest, we will request a closure for this ticket

Comment by Levente Polyak (anthraxx) - Wednesday, 23 November 2016, 12:50 GMT

fixed upstream while preserving public API *jas_stream_memopen(char *buf, int bufsize); and doing some max size checks somewhere else.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#46056 - [jasper] CVE-2015-5203: double-free vulnerability

Details

Loading...