FEDORA-2016-7776983633

security update in Fedora 24 for jasper

Status: stable 3 years ago

Security fix for CVE-2015-5203, CVE-2015-5221, CVE-2016-1867, CVE-2016-1577 and CVE-2016-2116.

How to install

sudo dnf upgrade --advisory=FEDORA-2016-7776983633

Comments 9

This update has been submitted for testing by jridky.

This update has been pushed to testing.

works for me

karma: +1

This update has been submitted for stable by bodhi.

works for me

karma: +1

This update has been pushed to stable.

This breaks gnome-software (and really, anything that tries to load files using gtk-pixbuf) and prevents it starting:

gnome-software: jas_stream.c:1044: mem_write: Assertion `ret == cnt' failed.

GtkPixbuf actually depends on the -1 buffer size to support auto-expanding the memory buffer at runtime, so changing the API by making the field unsigned breaks as GTK then tries to allocate a huge buffer.

karma: -1 critpath: -1

Users of the updated lib seem to very reliably crash.

karma: -1

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
unspecified
Karma
+1
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Enabled
Autopush (time)
Disabled
Dates
submitted 3 years ago
in testing 3 years ago
in stable 3 years ago

Related Bugs 10

00 #1254242 CVE-2015-5203 jasper: double free in jasper_image_stop_load()
00 #1254244 CVE-2015-5203 jasper: double free in jasper_image_stop_load() [fedora-all]
00 #1255710 CVE-2015-5221 jasper: Use-after-free and double-free flaws in Jasper JPEG-2000 library
00 #1255714 CVE-2015-5221 jasper: Use-after-free and double-free flaws in Jasper JPEG-2000 library [fedora-all]
00 #1298135 CVE-2016-1867 jasper: out-of-bounds read in the jpc_pi_nextcprl() function
00 #1298138 CVE-2016-1867 jasper: out-of-bounds read in the jpc_pi_nextcprl() function [fedora-all]
00 #1314466 CVE-2016-1577 jasper: Double free vulnerability in jas_iccattrval_destroy
00 #1314468 CVE-2016-1577 jasper: Double free vulnerability in jas_iccattrval_destroy [fedora-all]
00 #1314472 CVE-2016-2116 jasper: Memory leak in jas_iccprof_createfrombuf causing memory consumption
00 #1314473 CVE-2016-2116 jasper: Memory leak in jas_iccprof_createfrombuf causing memory consumption [fedora-all]

Automated Test Results