jasper (1.900.1-debian1-2.4ubuntu1.2) xenial-security; urgency=medium * SECURITY UPDATE: double-free in jasper_image_stop_load - debian/patches/CVE-2015-5203-CVE-2016-9262.patch: fix overflow and double free in src/libjasper/base/jas_image.c, src/libjasper/include/jasper/jas_math.h. (Thanks to Red Hat for the patch!) - CVE-2015-5203 * SECURITY UPDATE: use-after-free in mif_process_cmpt - debian/patches/CVE-2015-5221.patch: fix use-after-free in src/libjasper/mif/mif_cod.c. - CVE-2015-5221 * SECURITY UPDATE: denial of service in jpc_tsfb_synthesize - debian/patches/CVE-2016-10248.patch: fix type promotion and prevent null pointer dereference in src/libjasper/include/jasper/jas_seq.h, src/libjasper/jpc/jpc_dec.c, src/libjasper/jpc/jpc_tsfb.c. - CVE-2016-10248 * SECURITY UPDATE: denial of service in jp2_colr_destroy - debian/patches/CVE-2016-10250.patch: fix cleanup in src/libjasper/jp2/jp2_cod.c. - CVE-2016-10250 * SECURITY UPDATE: denial of service in jpc_dec_tiledecode - debian/patches/CVE-2016-8883.patch: remove asserts in src/libjasper/jpc/jpc_dec.c. - CVE-2016-8883 * SECURITY UPDATE: denial of service in jp2_colr_destroy - debian/patches/CVE-2016-8887.patch: don't destroy box that doesn't exist in src/libjasper/jp2/jp2_cod.c, src/libjasper/jp2/jp2_dec.c. - CVE-2016-8887 * SECURITY UPDATE: integer overflow in jpc_dec_process_siz - debian/patches/CVE-2016-9387-1.patch: fix overflow in src/libjasper/jpc/jpc_dec.c. - debian/patches/CVE-2016-9387-2.patch: add more checks to src/libjasper/jpc/jpc_dec.c. - CVE-2016-9387 * SECURITY UPDATE: denial of service in ras_getcmap - debian/patches/CVE-2016-9388.patch: remove assertions in src/libjasper/ras/ras_dec.c, src/libjasper/ras/ras_enc.c. - CVE-2016-9388 * SECURITY UPDATE: denial of service in jpc_irct and jpc_iict functions - debian/patches/CVE-2016-9389.patch: add check to src/libjasper/base/jas_image.c, src/libjasper/jpc/jpc_dec.c, src/libjasper/include/jasper/jas_image.h. - CVE-2016-9389 * SECURITY UPDATE: denial of service in jas_seq2d_create - debian/patches/CVE-2016-9390.patch: check tiles in src/libjasper/jpc/jpc_cs.c. - CVE-2016-9390 * SECURITY UPDATE: denial of service in jpc_bitstream_getbits - debian/patches/CVE-2016-9391.patch: add tests to src/libjasper/jpc/jpc_bs.c, src/libjasper/jpc/jpc_cs.c. - CVE-2016-9391 * SECURITY UPDATE: multiple denial of service issues - debian/patches/CVE-2016-9392-3-4.patch: add more checks to src/libjasper/jpc/jpc_cs.c. - CVE-2016-9392 - CVE-2016-9393 - CVE-2016-9394 * SECURITY UPDATE: denial of service in JPC_NOMINALGAIN - debian/patches/CVE-2016-9396.patch: add check to src/libjasper/jpc/jpc_cs.c. - CVE-2016-9396 * SECURITY UPDATE: denial of service via crafted image - debian/patches/CVE-2016-9600.patch: add more checks to src/libjasper/jp2/jp2_enc.c. - CVE-2016-9600 * SECURITY UPDATE: NULL pointer exception in jp2_encode - debian/patches/CVE-2017-1000050.patch: check number of components in src/libjasper/jp2/jp2_enc.c. - CVE-2017-1000050 * SECURITY UPDATE: denial of service in jp2_cdef_destroy - debian/patches/CVE-2017-6850.patch: initialize data in src/libjasper/base/jas_stream.c, src/libjasper/jp2/jp2_cod.c. - CVE-2017-6850 -- Marc Deslauriers Wed, 27 Jun 2018 07:48:44 -0400 jasper (1.900.1-debian1-2.4ubuntu1.1) xenial-security; urgency=medium * SECURITY UPDATE: multiple security issues - debian/patches/*: synchronize security fixes with Debian's 1.900.1-debian1-2.4+deb8u3 release. Thanks! - CVE-2016-1867, CVE-2016-2089, CVE-2016-8654, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693, CVE-2016-8882, CVE-2016-9560, CVE-2016-9591, CVE-2016-10249, CVE-2016-10251 -- Marc Deslauriers Thu, 18 May 2017 10:37:26 -0400 jasper (1.900.1-debian1-2.4ubuntu1) xenial; urgency=medium * SECURITY UPDATE: Denial of service or possible code execution via crafted ICC color profile (LP: #1547865) - debian/patches/09-CVE-2016-1577.patch: Prevent double-free in src/libjasper/base/jas_icc.c - CVE-2016-1577 * SECURITY UPDATE: Denial of service via resource exhaustion via crafted ICC color profile - debian/patches/10-CVE-2016-2116.patch: Prevent memory leak in src/libjasper/base/jas_icc.c - CVE-2016-2116 -- Tyler Hicks Wed, 02 Mar 2016 15:30:54 -0600 jasper (1.900.1-debian1-2.4) unstable; urgency=high * Non-maintainer upload. * Add 07-CVE-2014-8157.patch patch. CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot(). (Closes: #775970) * Add 08-CVE-2014-8158.patch patch. CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c (Closes: #775970) -- Salvatore Bonaccorso Thu, 22 Jan 2015 17:09:24 +0100 jasper (1.900.1-debian1-2.3) unstable; urgency=high * Non-maintainer upload by the Security Team. * Add 05-CVE-2014-8137.patch patch. CVE-2014-8137: double-free in in jas_iccattrval_destroy(). (Closes: #773463) * Add 06-CVE-2014-8138.patch patch. CVE-2014-8138: heap overflow in jp2_decode(). (Closes: #773463) -- Salvatore Bonaccorso Sat, 20 Dec 2014 08:42:19 +0100 jasper (1.900.1-debian1-2.2) unstable; urgency=high * Non-maintainer upload. * Add 04-CVE-2014-9029.patch patch. CVE-2014-9029: incorrect component number check in COC, RGN and QCC marker segment decoders. (Closes: #772036) -- Salvatore Bonaccorso Fri, 05 Dec 2014 08:39:16 +0100 jasper (1.900.1-debian1-2.1) unstable; urgency=medium * Non-maintainer upload (acked by maintainer) * Change B-D to libjpeg-dev to finish the transition to libjpeg-turbo (Closes: #763475) -- Ondřej Surý Mon, 29 Sep 2014 15:25:32 +0200 jasper (1.900.1-debian1-2) unstable; urgency=medium * debian/rules: Changed from dh $@ --with autotools_dev to autoreconf to fix build issue on new architectures (Closes: #747507) -- Roland Stigge Sun, 18 May 2014 19:46:12 +0200 jasper (1.900.1-debian1-1) unstable; urgency=medium * Re-packaged upstream tarball without srgb.icm (Closes: #736805) * debian/control: - Build-Depends: debhelper (>= 9) - Standards-Version: 3.9.5 -- Roland Stigge Sat, 12 Apr 2014 22:38:23 +0200 jasper (1.900.1-14) unstable; urgency=low * Fix FTBFS on Hurd by defining PATH_MAX (Closes: #690298) Thanks to Pino Toscano! -- Roland Stigge Sat, 13 Oct 2012 18:06:57 +0200 # For older changelog entries, run 'apt-get changelog libjasper1'