Gentoo Archives: gentoo-announce

From: Aaron Bauman <bman@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201908-03 ] JasPer: Multiple vulnerabilities
Date: Fri, 09 Aug 2019 20:47:16
Message-Id: 20190809203858.GB6479@bubba.lan
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201908-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: JasPer: Multiple vulnerabilities
     Date: August 09, 2019
     Bugs: #614028, #614032, #624988, #629286, #635552, #662160,
           #674154, #674214
       ID: 201908-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in JasPer, the worst of which
could result in a Denial of Service condition.

Background
==========

JasPer is a software-based implementation of the codec specified in the
JPEG-2000 Part-1 standard.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  media-libs/jasper           <= 2.0.16                        >=  

Description
===========

Multiple vulnerabilities have been discovered in JasPer. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

JasPer is no longer maintained upstream and contains many
vulnerabilities which remain unaddressed. Gentoo users are advised to
unmerge this package.

  # emerge --unmerge media-libs/jasper

References
==========

[  1 ] CVE-2017-1000050
       https://nvd.nist.gov/vuln/detail/CVE-2017-1000050
[  2 ] CVE-2017-13745
       https://nvd.nist.gov/vuln/detail/CVE-2017-13745
[  3 ] CVE-2017-13746
       https://nvd.nist.gov/vuln/detail/CVE-2017-13746
[  4 ] CVE-2017-13747
       https://nvd.nist.gov/vuln/detail/CVE-2017-13747
[  5 ] CVE-2017-13748
       https://nvd.nist.gov/vuln/detail/CVE-2017-13748
[  6 ] CVE-2017-13749
       https://nvd.nist.gov/vuln/detail/CVE-2017-13749
[  7 ] CVE-2017-13750
       https://nvd.nist.gov/vuln/detail/CVE-2017-13750
[  8 ] CVE-2017-13751
       https://nvd.nist.gov/vuln/detail/CVE-2017-13751
[  9 ] CVE-2017-13752
       https://nvd.nist.gov/vuln/detail/CVE-2017-13752
[ 10 ] CVE-2017-13753
       https://nvd.nist.gov/vuln/detail/CVE-2017-13753
[ 11 ] CVE-2017-14132
       https://nvd.nist.gov/vuln/detail/CVE-2017-14132
[ 12 ] CVE-2017-14229
       https://nvd.nist.gov/vuln/detail/CVE-2017-14229
[ 13 ] CVE-2017-14232
       https://nvd.nist.gov/vuln/detail/CVE-2017-14232
[ 14 ] CVE-2017-5503
       https://nvd.nist.gov/vuln/detail/CVE-2017-5503
[ 15 ] CVE-2017-5504
       https://nvd.nist.gov/vuln/detail/CVE-2017-5504
[ 16 ] CVE-2017-5505
       https://nvd.nist.gov/vuln/detail/CVE-2017-5505
[ 17 ] CVE-2017-6851
       https://nvd.nist.gov/vuln/detail/CVE-2017-6851
[ 18 ] CVE-2017-6852
       https://nvd.nist.gov/vuln/detail/CVE-2017-6852
[ 19 ] CVE-2017-9782
       https://nvd.nist.gov/vuln/detail/CVE-2017-9782
[ 20 ] CVE-2018-18873
       https://nvd.nist.gov/vuln/detail/CVE-2018-18873
[ 21 ] CVE-2018-20584
       https://nvd.nist.gov/vuln/detail/CVE-2018-20584
[ 22 ] CVE-2018-9055
       https://nvd.nist.gov/vuln/detail/CVE-2018-9055
[ 23 ] CVE-2018-9154
       https://nvd.nist.gov/vuln/detail/CVE-2018-9154

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201908-03

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@g.o or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature