[Bug 1416141] [NEW] Sync jasper 1.900.1-debian1-2.4 (main) from Debian unstable (main)

Artur Rona ari-tczew at tlen.pl
Thu Jan 29 22:25:26 UTC 2015 

Public bug reported:

Please sync jasper 1.900.1-debian1-2.4 (main) from Debian unstable
(main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: denial of service or code execution via off-by-one
    - debian/patches/07-CVE-2014-8157.patch: fix off-by-one in
      src/libjasper/jpc/jpc_dec.c.
    - CVE-2014-8157
  * SECURITY UPDATE: denial of service or code execution via memory
    corruption
    - debian/patches/08-CVE-2014-8158.patch: remove HAVE_VLA to use more
      sensible buffer sizes in src/libjasper/jpc/jpc_qmfb.c.
    - CVE-2014-8158

Debian fixed CVEs, as well.

Changelog entries since current vivid version
1.900.1-debian1-2.3ubuntu1:

jasper (1.900.1-debian1-2.4) unstable; urgency=high

  * Non-maintainer upload.
  * Add 07-CVE-2014-8157.patch patch.
    CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot().
    (Closes: #775970)
  * Add 08-CVE-2014-8158.patch patch.
    CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c (Closes: #775970)

 -- Salvatore Bonaccorso <carnil at debian.org>  Thu, 22 Jan 2015 17:09:24
+0100

** Affects: jasper (Ubuntu)
     Importance: Wishlist
         Status: New

** Changed in: jasper (Ubuntu)
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to jasper in Ubuntu.
https://bugs.launchpad.net/bugs/1416141

Title:
  Sync jasper 1.900.1-debian1-2.4 (main) from Debian unstable (main)

Status in jasper package in Ubuntu:
  New

Bug description:
  Please sync jasper 1.900.1-debian1-2.4 (main) from Debian unstable
  (main)

  Explanation of the Ubuntu delta and why it can be dropped:
    * SECURITY UPDATE: denial of service or code execution via off-by-one
      - debian/patches/07-CVE-2014-8157.patch: fix off-by-one in
        src/libjasper/jpc/jpc_dec.c.
      - CVE-2014-8157
    * SECURITY UPDATE: denial of service or code execution via memory
      corruption
      - debian/patches/08-CVE-2014-8158.patch: remove HAVE_VLA to use more
        sensible buffer sizes in src/libjasper/jpc/jpc_qmfb.c.
      - CVE-2014-8158

  Debian fixed CVEs, as well.

  Changelog entries since current vivid version
  1.900.1-debian1-2.3ubuntu1:

  jasper (1.900.1-debian1-2.4) unstable; urgency=high

    * Non-maintainer upload.
    * Add 07-CVE-2014-8157.patch patch.
      CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot().
      (Closes: #775970)
    * Add 08-CVE-2014-8158.patch patch.
      CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c (Closes: #775970)

   -- Salvatore Bonaccorso <carnil at debian.org>  Thu, 22 Jan 2015
  17:09:24 +0100

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jasper/+bug/1416141/+subscriptions

More information about the foundations-bugs mailing list