graphics/jasper CVE fixes from Slackware

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

graphics/jasper CVE fixes from Slackware

patrick keshishian
Slackware just notified of these:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8157
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8158
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029

Summary:
        CVE-2014-8137: double-free
        CVE-2014-8138: heap-based buffer overflow
        CVE-2014-8157: off-by-one
        CVE-2014-8158: multiple stack-based buffer overflows
        CVE-2014-9029: multiple off-by-one

Patches from Slackware are available off their ftp site:

        ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/source/jasper/patches/

        jasper-CVE-2014-8137.patch.gz 1 KB 09/03/15 18:54:00
        jasper-CVE-2014-8138.patch.gz 1 KB 09/03/15 18:55:00
        jasper-CVE-2014-8157.patch.gz 1 KB 09/03/15 18:55:00
        jasper-CVE-2014-8158.patch.gz 2 KB 09/03/15 18:56:00
        jasper-CVE-2014-9029.patch.gz 1 KB 09/03/15 18:57:00


Attached is my attempt to merge above Slackware patches, into
our jasper port.

Someone more familiar with jasper should double check that I
didn't screw anything up.

I have a question though, 'pkg_info jasper' claims gimp as a dependent,
however, 'ldd gimp' doesn't show jasper in the list. What am I missing?

Cheers,
--patrick

jasper.diff (26K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: graphics/jasper CVE fixes from Slackware

patrick keshishian
ping?

On 10/29/15, patrick keshishian <[hidden email]> wrote:

> Slackware just notified of these:
>     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137
>     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138
>     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8157
>     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8158
>     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029
>
> Summary:
> CVE-2014-8137: double-free
> CVE-2014-8138: heap-based buffer overflow
> CVE-2014-8157: off-by-one
> CVE-2014-8158: multiple stack-based buffer overflows
> CVE-2014-9029: multiple off-by-one
>
> Patches from Slackware are available off their ftp site:
>
> ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/source/jasper/patches/
>
> jasper-CVE-2014-8137.patch.gz 1 KB 09/03/15 18:54:00
> jasper-CVE-2014-8138.patch.gz 1 KB 09/03/15 18:55:00
> jasper-CVE-2014-8157.patch.gz 1 KB 09/03/15 18:55:00
> jasper-CVE-2014-8158.patch.gz 2 KB 09/03/15 18:56:00
> jasper-CVE-2014-9029.patch.gz 1 KB 09/03/15 18:57:00
>
>
> Attached is my attempt to merge above Slackware patches, into
> our jasper port.
>
> Someone more familiar with jasper should double check that I
> didn't screw anything up.
>
> I have a question though, 'pkg_info jasper' claims gimp as a dependent,
> however, 'ldd gimp' doesn't show jasper in the list. What am I missing?
>
> Cheers,
> --patrick
>

Reply | Threaded
Open this post in threaded view
|

Re: graphics/jasper CVE fixes from Slackware

Stuart Henderson-6
On 2015/11/05 12:02, patrick keshishian wrote:
> ping?

Thanks, they look good to me so I've committed them.

> > I have a question though, 'pkg_info jasper' claims gimp as a dependent,
> > however, 'ldd gimp' doesn't show jasper in the list. What am I missing?

It could be in a library/module, or it might no longer be correct at
all. By removing 'jasper' from gimp's WANTLIB line and running 'make
port-lib-depends-check' it would show a file that pulls it in, if any.
(though it only mentions the first file if there are more than one).