FS#64655 - [security] [jasper] consider dropping - unmaintained
Attached to Project:
Arch Linux
Opened by Gunnar Bretthauer (Taijian) - Tuesday, 26 November 2019, 14:10 GMT
Last edited by freswa (frederik) - Sunday, 26 July 2020, 14:35 GMT
Opened by Gunnar Bretthauer (Taijian) - Tuesday, 26 November 2019, 14:10 GMT
Last edited by freswa (frederik) - Sunday, 26 July 2020, 14:35 GMT
|
Details
Description:
According to this upsteam issue (https://github.com/mdadams/jasper/issues/208) jasper is no longer being actively maintained and open issues and security vulnerabilities are no longer being addressed. I would therefore ask Arch maintainers to remove jasper dependencies whereever possible, in order to reduce the possible attack surface of users' systems (many projects that currently depend on jasper can have this dependency disabled at compile time). Because jasper provides what is in many respects a niche feature, this would not remove core funtionality in almost all cases. Users depending on this feature could then still recompile with the respective switch flicked on. One widely pulled in package affected by this is gdk-pixbuf2. Maintainers there are aware of this issue with jasper, but point out that jasper support is default disabled (https://gitlab.gnome.org/GNOME/gdk-pixbuf/issues/137#note_656180). Maybe Arch could follow the default setting in such cases in the interest of security. There seems to be an emerging consensus among distros that this is the smart way to approach jasper - according to the aforementioned issue, so far Debian, Ubuntu, and Gentoo have already dropped jasper from their repos because of security concerns, and OpenSUSE is in the process of doing so. |
This task depends upon
Closed by freswa (frederik)
Sunday, 26 July 2020, 14:35 GMT
Reason for closing: Fixed
Additional comments about closing: 2.0.17
Sunday, 26 July 2020, 14:35 GMT
Reason for closing: Fixed
Additional comments about closing: 2.0.17
dcraw
devil
gegl
gimp
libicns
libraw
opencv
openimageio
openscenegraph
qt5-imageformats
ziproxy
graphicsmagick
jasper-doc
graphicsmagick
* gimp:
does not actually depend on jasper anymore since 2018-08-13 as commit https://gitlab.gnome.org/GNOME/gimp/commit/fb57133d55f88e88fafadec8b09a0a3084585b88 replaced jasper with openjpeg. The Arch package just missed that change somehow...
* libraw:
see https://bugs.archlinux.org/task/65569
* qt5-imageformats:
see https://bugs.archlinux.org/task/65570
* jasper-doc:
probably no longer needed when jasper gets dropped?
- jasper support can be disabled at compile time with -DWITH_JASPER=OFF
- upstream has already disable jasper at runtime by default; re-enabling it requires setting a special enviroment variable: https://github.com/opencv/opencv/pull/14059
- threre is apparently an imcomplete PR to replace jasper with openjpeg: https://github.com/opencv/opencv/pull/16494
So it can probably just be removed?
CVE-2017-13748
CVE-2018-9055
community/libicns should be able to just switch to openjpeg as the code treats them as interchangeable at compile time according to https://sourceforge.net/p/icns/code/ci/master/tree/README.install
community/openimageio has not depended on jasper since commit https://github.com/OpenImageIO/oiio/commit/e5cc009e160d2534ba9943326967fb9a29c823cf in 2011! They switched to openjpeg at that point. See also here: https://github.com/OpenImageIO/oiio/blob/master/INSTALL.md
[1] https://github.com/opencv/opencv/pull/16494
Jasper is fully optinal at build time - either it is present and will then be compiled in, or it's not, in which case it will be skipped. See: https://gitlab.gnome.org/GNOME/gegl/-/blob/master/meson_options.txt
Packages that can switch to openjpeg2 but haven't done so yet:
- community/libicns (change would be picked up automatically at compile-time)
Packages that can drop jasper without any further config changes needed (compile-time detection automagick):
- extra/gegl
- extra/graphicsmagick
- extra/qt5-imageformats
- community/devil
- community/openscenegraph
Packages that need extra PKGBUILD changes to drop jasper:
- extra/dcraw (replace '-ljasper' with '-DNO_JASPER' in gcc options)
- extra/libraw (add '--enable-jasper=no' to compile options)
- community/ziproxy (replace '--with-jasper' with '--with-jasper=no' in ./configure options)
Packages that could be dropped afterwards:
- extra/jasper
- extra/jasper-doc
There is now a new fork of jasper at [1] by a group of people who aim to fix the existing CVEs and do some general maintenance. There is no release yet, because they are apparently trying to work with the old maintainer of jasper to integrate their fixes into the original codebase, but if that does not work out, they might make their own release [2].
If this new release should materialize, maybe the Arch version of jasper should switch to the updated source?
[1] https://github.com/jasper-maint/jasper
[2] https://github.com/mdadams/jasper/issues/208#issuecomment-651769843