This bug was fixed in the package jasper - 1.900.1-14ubuntu3.3
---------------
jasper (1.900.1-14ubuntu3.3) trusty-security; urgency=medium
* SECURITY UPDATE: Denial of service or possible code execution via crafted
ICC color profile (LP: #1547865)
- debian/patches/09-CVE-2016-1577.patch: Prevent double-free in
src/libjasper/base/jas_icc.c
- CVE-2016-1577
* SECURITY UPDATE: Denial of service via resource exhaustion via crafted ICC
color profile
- debian/patches/10-CVE-2016-2116.patch: Prevent memory leak in
src/libjasper/base/jas_icc.c
- CVE-2016-2116
-- Tyler Hicks <[email protected]> Fri, 26 Feb 2016 00:07:11 -0600
** Changed in: jasper (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to jasper in Ubuntu.
https://bugs.launchpad.net/bugs/1547865
Title:
Double free in libjasper jas_icc.c
Status in jasper package in Ubuntu:
Fix Released
Bug description:
A malformed JPEG2000 image being processed by libjasper can lead to a
double free in jas_icc.c:jas_iccprof_load(). Specifically, the
variable "attrval" is freed via a call to jas_iccattrval_destroy on
line 302 and then, if the program moves to the error label before
attrval gets assigned a new value at 328, "attrval" gets freed again
at line 357.
To reproduce the double free is fairly simple using the libjasper-
runtime program 'imginfo':
test@ubuntu:~$ imginfo -f ~/test/bad.jp2
Attached is an image to reproduce this bug. A quick note about the
image, it appears to also exercise Bug #555238 which is a stack
exhaustion bug in nautilus. Therefore, don't be surprised when the
image crashes nautilus. Also attached is output from valgrind and a
backtrace from gdb.
lsb_release -rd output:
test@ubuntu:~$ lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
apt-cache output:
test@ubuntu:~$ apt-cache policy libjasper1
libjasper1:
Installed: 1.900.1-14ubuntu3.2
Candidate: 1.900.1-14ubuntu3.2
Version table:
*** 1.900.1-14ubuntu3.2 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64
Packages
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64
Packages
100 /var/lib/dpkg/status
1.900.1-14ubuntu3 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
test@ubuntu:~$ apt-cache policy libjasper-runtime
libjasper-runtime:
Installed: 1.900.1-14ubuntu3.2
Candidate: 1.900.1-14ubuntu3.2
Version table:
*** 1.900.1-14ubuntu3.2 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe
amd64 Packages
500 http://security.ubuntu.com/ubuntu/ trusty-security/universe amd64
Packages
100 /var/lib/dpkg/status
1.900.1-14ubuntu3 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/universe amd64
Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jasper/+bug/1547865/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
