FS#46056 - [jasper] CVE-2015-5203: double-free vulnerability
Attached to Project:
Arch Linux
Opened by Remi Gacogne (rgacogne) - Friday, 21 August 2015, 15:13 GMT
Last edited by Levente Polyak (anthraxx) - Wednesday, 23 November 2016, 12:51 GMT
Opened by Remi Gacogne (rgacogne) - Friday, 21 August 2015, 15:13 GMT
Last edited by Levente Polyak (anthraxx) - Wednesday, 23 November 2016, 12:51 GMT
|
Details
Hi,
A double-free has been found [1][2] in jasper, and our version 1.900.1-13 is vulnerable. It does not seem that this library is actively maintained, but a patch has been provided [3] on the oss-sec mailing list. IMHO it would be nice to backport it. [1]: http://www.openwall.com/lists/oss-security/2015/08/16/2 [2]: http://www.openwall.com/lists/oss-security/2015/08/21/4 [3]: https://bugzilla.redhat.com/show_bug.cgi?id=1254242#c3 |
This task depends upon
Closed by Levente Polyak (anthraxx)
Wednesday, 23 November 2016, 12:51 GMT
Reason for closing: Fixed
Additional comments about closing: jasper-1.900.31-1 (currently in testing)
Wednesday, 23 November 2016, 12:51 GMT
Reason for closing: Fixed
Additional comments about closing: jasper-1.900.31-1 (currently in testing)
Other distributions don't have any intentions to fix CVE 2015-5203, so far no patch for 2015-5221, so we might want to close this as WONTFIX.
If we gave up or loose interest, we will request a closure for this ticket