Your message dated Tue, 27 Jan 2015 22:21:17 +0000 with message-id <e1ygevz-0005n4...@franck.debian.org> and subject line Bug#775970: fixed in jasper 1.900.1-7+squeeze4 has caused the Debian Bug report #775970, regarding jasper: CVE-2014-8157 CVE-2014-8158 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 775970: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775970 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libjasper1 Version: 1.900.1-13+deb7u2 Severity: grave Tags: security upstream Justification: user security hole From: http://www.ocert.org/advisories/ocert-2015-001.html The library is affected by an off-by-one error in a buffer boundary check in jpc_dec_process_sot(), leading to a heap based buffer overflow, as well as multiple unrestricted stack memory use issues in jpc_qmfb.c, leading to stack overflow. A specially crafted jp2 file can be used to trigger the vulnerabilities. -- System Information: Debian Release: 7.8 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libjasper1 depends on: ii libc6 2.13-38+deb7u6 ii libjpeg8 8d-1+deb7u1 ii multiarch-support 2.13-38+deb7u6 libjasper1 recommends no packages. Versions of packages libjasper1 suggests: pn libjasper-runtime <none> -- no debconf information
--- End Message ---
--- Begin Message ---Source: jasper Source-Version: 1.900.1-7+squeeze4 We believe that the bug you reported is fixed in the latest version of jasper, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 775...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thorsten Alteholz <deb...@alteholz.de> (supplier of updated jasper package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 27 Jan 2015 20:20:04 +0100 Source: jasper Binary: libjasper1 libjasper-dev libjasper-runtime Architecture: source i386 Version: 1.900.1-7+squeeze4 Distribution: squeeze-lts Urgency: high Maintainer: Roland Stigge <sti...@antcom.de> Changed-By: Thorsten Alteholz <deb...@alteholz.de> Description: libjasper-dev - Development files for the JasPer JPEG-2000 library libjasper-runtime - Programs for manipulating JPEG-2000 files libjasper1 - The JasPer JPEG-2000 runtime library Closes: 775970 Changes: jasper (1.900.1-7+squeeze4) squeeze-lts; urgency=high . * Non-maintainer upload by the Squeeze LTS Team. * Add 07-CVE-2014-8157.patch patch. CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot(). (Closes: #775970) * Add 08-CVE-2014-8158.patch patch. CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c (Closes: #775970) Checksums-Sha1: 7cd93b0068da7d2a7d293ebeaa7b17ef70bb75ce 1844 jasper_1.900.1-7+squeeze4.dsc a20dc389f5962661b7ab81777c8316f8faee3a99 1143400 jasper_1.900.1.orig.tar.gz b3f592bf84e9ba221f3cbe7e81a3d38e5d394071 54228 jasper_1.900.1-7+squeeze4.diff.gz 72e169e5908ddea8375580fbd38bb8fa2e89317a 145940 libjasper1_1.900.1-7+squeeze4_i386.deb 85ce0dfbd3df7415961a03b8f27f3543e3ecc84b 551340 libjasper-dev_1.900.1-7+squeeze4_i386.deb 03609b3e519ed38cf1c9a28dfcaea888a5c68568 24162 libjasper-runtime_1.900.1-7+squeeze4_i386.deb Checksums-Sha256: d080a0ffd1cccb2323bed63fcf78cd5d262235e07f15eeff1e6b01c36f39cd55 1844 jasper_1.900.1-7+squeeze4.dsc 6cf104e2811f6088ca1dc76d87dd27c55178d3ccced20db8858d28ae22911a94 1143400 jasper_1.900.1.orig.tar.gz 9dd7b1bb053c718db3dda72f52afaf639e6c183b3953e515104f3413d88ab3e3 54228 jasper_1.900.1-7+squeeze4.diff.gz 168e7a467e0ff035a81bd9c573a4d76088d9460da9f4e75a9789b3fea37864d6 145940 libjasper1_1.900.1-7+squeeze4_i386.deb 578f96892bc2b85fb06030fbadf68c762c603bd7753f7cf3c35ffb40e6741412 551340 libjasper-dev_1.900.1-7+squeeze4_i386.deb 2fef285147853a988650e7bf9e2c6f364a405f9279198c57eeac95d701478962 24162 libjasper-runtime_1.900.1-7+squeeze4_i386.deb Files: 723dcee390db604c6c4ad3a7f1294ed8 1844 graphics optional jasper_1.900.1-7+squeeze4.dsc 4ae3dd938fd15f22f30577db5c9f27e9 1143400 graphics optional jasper_1.900.1.orig.tar.gz e3338284fe5af40355e0234d24a0ec9d 54228 graphics optional jasper_1.900.1-7+squeeze4.diff.gz 1df57f8b03bb6260d6f95bff9b25d524 145940 libs optional libjasper1_1.900.1-7+squeeze4_i386.deb ed414f0b072b17e52d23c4c5a70fa9bc 551340 libdevel optional libjasper-dev_1.900.1-7+squeeze4_i386.deb 8b8fea6e008d61b15c63febc38ee7427 24162 graphics optional libjasper-runtime_1.900.1-7+squeeze4_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJUyAfMXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHt4EP/303ypvFGQ3R7qDes4aVdfyn O9kV8yC+cHiZzsxQWO9TOg1IqBExdjwD1uaWYgS3InOSqOfbptbomD+bxV25YQ+b BNFPmNSjEVmvH//KcdiRL1ai1M1/GfLEBOgMpftMksy+787RYDJZfGqnESbCbTfS fYLm8x1ESt82pB4f6jbnNQW4mdbwKBLxFSOaS4Cen/VvnuCGsbfWaCZklPG4hUIQ RcRuZJHyjZ2kXepPEQUkWbhdbm8wTuN97FyGV39u7HV3pDoCz3n0tAdktF8AeHud dQqDNBsDN/SlV36IUfqQeeOxBg3SDGHNhK7pn4gJ4GW7jbpoR32qZy0n/ozBAYmn BQiiFQnYLHkynJOpApGkTXnQ/SEtuvNKCZK3G4dpMNO3PYxbJbGDfZ4AgOtX83YL n7PFNFSbBwOJLXykfzKVJWRa/H02w35H0aG9veglGk7KGtQjTzxioKpox5ox65zj cOK2y2bTE2W91pil7g46G9c05NucqOWVWicwWrsHM/hA3RZAcsdzYImEMhBDKpQE P1L73VkEn4tPX+EWdFJu2GueZOArJqQly7dd89pQDRkbuZGTAhBg/lP/ZBdEN7Dd B5seIt/hoNhcK7/PfKneHiWoHdTufHZVxM9Ey8ZIH4r0pmLlPSFhpHAXn0HtaGCJ xpCPBCcj93TU+JNgOOM1 =l8sW -----END PGP SIGNATURE-----
--- End Message ---
