[Touch-packages] [Bug 1416141] [NEW] Sync jasper 1.900.1-debian1-2.4 (main) from Debian unstable (main)

Thu, 29 Jan 2015 14:31:07 -0800 

Public bug reported:

Please sync jasper 1.900.1-debian1-2.4 (main) from Debian unstable
(main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: denial of service or code execution via off-by-one
    - debian/patches/07-CVE-2014-8157.patch: fix off-by-one in
      src/libjasper/jpc/jpc_dec.c.
    - CVE-2014-8157
  * SECURITY UPDATE: denial of service or code execution via memory
    corruption
    - debian/patches/08-CVE-2014-8158.patch: remove HAVE_VLA to use more
      sensible buffer sizes in src/libjasper/jpc/jpc_qmfb.c.
    - CVE-2014-8158

Debian fixed CVEs, as well.

Changelog entries since current vivid version
1.900.1-debian1-2.3ubuntu1:

jasper (1.900.1-debian1-2.4) unstable; urgency=high

  * Non-maintainer upload.
  * Add 07-CVE-2014-8157.patch patch.
    CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot().
    (Closes: #775970)
  * Add 08-CVE-2014-8158.patch patch.
    CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c (Closes: #775970)

 -- Salvatore Bonaccorso <car...@debian.org>  Thu, 22 Jan 2015 17:09:24
+0100

** Affects: jasper (Ubuntu)
     Importance: Wishlist
         Status: New

** Changed in: jasper (Ubuntu)
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to jasper in Ubuntu.
https://bugs.launchpad.net/bugs/1416141

Title:
  Sync jasper 1.900.1-debian1-2.4 (main) from Debian unstable (main)

Status in jasper package in Ubuntu:
  New

Bug description:
  Please sync jasper 1.900.1-debian1-2.4 (main) from Debian unstable
  (main)

  Explanation of the Ubuntu delta and why it can be dropped:
    * SECURITY UPDATE: denial of service or code execution via off-by-one
      - debian/patches/07-CVE-2014-8157.patch: fix off-by-one in
        src/libjasper/jpc/jpc_dec.c.
      - CVE-2014-8157
    * SECURITY UPDATE: denial of service or code execution via memory
      corruption
      - debian/patches/08-CVE-2014-8158.patch: remove HAVE_VLA to use more
        sensible buffer sizes in src/libjasper/jpc/jpc_qmfb.c.
      - CVE-2014-8158

  Debian fixed CVEs, as well.

  Changelog entries since current vivid version
  1.900.1-debian1-2.3ubuntu1:

  jasper (1.900.1-debian1-2.4) unstable; urgency=high

    * Non-maintainer upload.
    * Add 07-CVE-2014-8157.patch patch.
      CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot().
      (Closes: #775970)
    * Add 08-CVE-2014-8158.patch patch.
      CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c (Closes: 
#775970)

   -- Salvatore Bonaccorso <car...@debian.org>  Thu, 22 Jan 2015
  17:09:24 +0100

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jasper/+bug/1416141/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to