jasper (1.900.1-14ubuntu3.5) trusty-security; urgency=medium * SECURITY UPDATE: double-free in jasper_image_stop_load - debian/patches/CVE-2015-5203-CVE-2016-9262.patch: fix overflow and double free in src/libjasper/base/jas_image.c, src/libjasper/include/jasper/jas_math.h. (Thanks to Red Hat for the patch!) - CVE-2015-5203 * SECURITY UPDATE: use-after-free in mif_process_cmpt - debian/patches/CVE-2015-5221.patch: fix use-after-free in src/libjasper/mif/mif_cod.c. - CVE-2015-5221 * SECURITY UPDATE: denial of service in jpc_tsfb_synthesize - debian/patches/CVE-2016-10248.patch: fix type promotion and prevent null pointer dereference in src/libjasper/include/jasper/jas_seq.h, src/libjasper/jpc/jpc_dec.c, src/libjasper/jpc/jpc_tsfb.c. - CVE-2016-10248 * SECURITY UPDATE: denial of service in jp2_colr_destroy - debian/patches/CVE-2016-10250.patch: fix cleanup in src/libjasper/jp2/jp2_cod.c. - CVE-2016-10250 * SECURITY UPDATE: denial of service in jpc_dec_tiledecode - debian/patches/CVE-2016-8883.patch: remove asserts in src/libjasper/jpc/jpc_dec.c. - CVE-2016-8883 * SECURITY UPDATE: denial of service in jp2_colr_destroy - debian/patches/CVE-2016-8887.patch: don't destroy box that doesn't exist in src/libjasper/jp2/jp2_cod.c, src/libjasper/jp2/jp2_dec.c. - CVE-2016-8887 * SECURITY UPDATE: integer overflow in jpc_dec_process_siz - debian/patches/CVE-2016-9387-1.patch: fix overflow in src/libjasper/jpc/jpc_dec.c. - debian/patches/CVE-2016-9387-2.patch: add more checks to src/libjasper/jpc/jpc_dec.c. - CVE-2016-9387 * SECURITY UPDATE: denial of service in ras_getcmap - debian/patches/CVE-2016-9388.patch: remove assertions in src/libjasper/ras/ras_dec.c, src/libjasper/ras/ras_enc.c. - CVE-2016-9388 * SECURITY UPDATE: denial of service in jpc_irct and jpc_iict functions - debian/patches/CVE-2016-9389.patch: add check to src/libjasper/base/jas_image.c, src/libjasper/jpc/jpc_dec.c, src/libjasper/include/jasper/jas_image.h. - CVE-2016-9389 * SECURITY UPDATE: denial of service in jas_seq2d_create - debian/patches/CVE-2016-9390.patch: check tiles in src/libjasper/jpc/jpc_cs.c. - CVE-2016-9390 * SECURITY UPDATE: denial of service in jpc_bitstream_getbits - debian/patches/CVE-2016-9391.patch: add tests to src/libjasper/jpc/jpc_bs.c, src/libjasper/jpc/jpc_cs.c. - CVE-2016-9391 * SECURITY UPDATE: multiple denial of service issues - debian/patches/CVE-2016-9392-3-4.patch: add more checks to src/libjasper/jpc/jpc_cs.c. - CVE-2016-9392 - CVE-2016-9393 - CVE-2016-9394 * SECURITY UPDATE: denial of service in JPC_NOMINALGAIN - debian/patches/CVE-2016-9396.patch: add check to src/libjasper/jpc/jpc_cs.c. - CVE-2016-9396 * SECURITY UPDATE: denial of service via crafted image - debian/patches/CVE-2016-9600.patch: add more checks to src/libjasper/jp2/jp2_enc.c. - CVE-2016-9600 * SECURITY UPDATE: NULL pointer exception in jp2_encode - debian/patches/CVE-2017-1000050.patch: check number of components in src/libjasper/jp2/jp2_enc.c. - CVE-2017-1000050 * SECURITY UPDATE: denial of service in jp2_cdef_destroy - debian/patches/CVE-2017-6850.patch: initialize data in src/libjasper/base/jas_stream.c, src/libjasper/jp2/jp2_cod.c. - CVE-2017-6850 -- Marc Deslauriers Wed, 27 Jun 2018 11:04:48 -0400 jasper (1.900.1-14ubuntu3.4) trusty-security; urgency=medium * SECURITY UPDATE: multiple security issues - debian/patches/*: synchronize security fixes with Debian's 1.900.1-debian1-2.4+deb8u3 release. Thanks! - CVE-2016-1867, CVE-2016-2089, CVE-2016-8654, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693, CVE-2016-8882, CVE-2016-9560, CVE-2016-9591, CVE-2016-10249, CVE-2016-10251 -- Marc Deslauriers Thu, 18 May 2017 10:42:09 -0400 jasper (1.900.1-14ubuntu3.3) trusty-security; urgency=medium * SECURITY UPDATE: Denial of service or possible code execution via crafted ICC color profile (LP: #1547865) - debian/patches/09-CVE-2016-1577.patch: Prevent double-free in src/libjasper/base/jas_icc.c - CVE-2016-1577 * SECURITY UPDATE: Denial of service via resource exhaustion via crafted ICC color profile - debian/patches/10-CVE-2016-2116.patch: Prevent memory leak in src/libjasper/base/jas_icc.c - CVE-2016-2116 -- Tyler Hicks Fri, 26 Feb 2016 00:07:11 -0600 jasper (1.900.1-14ubuntu3.2) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via crafted ICC color profile - debian/patches/05-CVE-2014-8137.patch: prevent double-free in src/libjasper/base/jas_icc.c, remove assert in src/libjasper/jp2/jp2_dec.c. - CVE-2014-8137 * SECURITY UPDATE: denial of service or code execution via invalid channel number - debian/patches/06-CVE-2014-8138.patch: validate channel number in src/libjasper/jp2/jp2_dec.c. - CVE-2014-8138 * SECURITY UPDATE: denial of service or code execution via off-by-one - debian/patches/07-CVE-2014-8157.patch: fix off-by-one in src/libjasper/jpc/jpc_dec.c. - CVE-2014-8157 * SECURITY UPDATE: denial of service or code execution via memory corruption - debian/patches/08-CVE-2014-8158.patch: remove HAVE_VLA to use more sensible buffer sizes in src/libjasper/jpc/jpc_qmfb.c. - CVE-2014-8158 -- Marc Deslauriers Thu, 22 Jan 2015 13:00:10 -0500 jasper (1.900.1-14ubuntu3.1) trusty-security; urgency=medium * SECURITY UPDATE: heap overflows via crafted jp2 file - debian/patches/04-CVE-2014-9029.patch: fix off-by-one in src/libjasper/jpc/jpc_dec.c. - CVE-2014-9029 -- Marc Deslauriers Fri, 05 Dec 2014 09:01:05 -0500 jasper (1.900.1-14ubuntu3) trusty; urgency=low * Build using dh-autoreconf. -- Matthias Klose Fri, 06 Dec 2013 15:37:06 +0100 jasper (1.900.1-14) unstable; urgency=low * Fix FTBFS on Hurd by defining PATH_MAX (Closes: #690298) Thanks to Pino Toscano! -- Roland Stigge Sat, 13 Oct 2012 18:06:57 +0200 jasper (1.900.1-13) unstable; urgency=high * Fix CVE-2011-4516 and CVE-2011-4517: Two buffer overflow issues possibly exploitable via specially crafted input files (Closes: #652649) Thanks to Red Hat and Michael Gilbert -- Roland Stigge Wed, 04 Jan 2012 19:14:40 +0100 jasper (1.900.1-12) unstable; urgency=low * Added patch to fix filename buffer overflow, thanks to Jonas Smedegard and Alex Cherepanov from ghostscript (Closes: #649833) -- Roland Stigge Sun, 27 Nov 2011 19:56:01 +0100 jasper (1.900.1-11) unstable; urgency=low * Added Multiarch support, thanks to Colin Watson (Closes: #645118) -- Roland Stigge Wed, 02 Nov 2011 17:16:10 +0100 jasper (1.900.1-10) unstable; urgency=low * Added debian/watch * debian/patches/01-misc-fixes.patch: - Separated out config.{guess,sub} -- Roland Stigge Mon, 15 Aug 2011 19:09:29 +0200 jasper (1.900.1-9) unstable; urgency=low * Switch to dpkg-source 3.0 (quilt) format * Using new dh 7 build system -- Roland Stigge Tue, 12 Jul 2011 20:21:21 +0200 jasper (1.900.1-8) unstable; urgency=low * Removed unneeded .la file (Closes: #633162) * debian/control: - Standards-Version: 3.9.2 - use libjpeg8-dev instead of libjpeg62-dev -- Roland Stigge Mon, 11 Jul 2011 21:27:24 +0200 jasper (1.900.1-7) unstable; urgency=low * Acknowledge NMU * Added patch to fix Debian patch for CVE-2008-3521 (Closes: #506739) * debian/control: Standards-Version: 3.8.4 -- Roland Stigge Sun, 21 Feb 2010 16:09:45 +0100 jasper (1.900.1-6.1) unstable; urgency=low * Non-maintainer upload. * This is a fix for the GeoJP2 patch introduced in 1.900.1-5 which caused GDAL faulting. Thanks Even Rouault. (Closes: #553429) -- Francesco Paolo Lovergine Wed, 28 Oct 2009 09:39:28 +0100 jasper (1.900.1-6) unstable; urgency=low * Reverted to jasper 1.900.1-6 because 1.900.1-5.1 messed up (see #528543) but 1.900.1-5 wasn't available anymore. (Closes: #514296, #528543) * Re-applied patch from #275619 as in 1.900.1-5 * debian/control: Standards-Version: 3.8.2 * Applied patch by Nico Golde (Closes: #501021) - CVE-2008-3522[0]: Buffer overflow. - CVE-2008-3521[1]: unsecure temporary files handling. - CVE-2008-3520[2]: Multiple integer overflows. -- Roland Stigge Sat, 20 Jun 2009 15:21:16 +0200 jasper (1.900.1-5.1) unstable; urgency=low * Non-maintainer upload. * add patches/02_security.dpatch to fix various CVEs (Closes: #501021): + CVE-2008-3522[0]: Buffer overflow. + CVE-2008-3521[1]: unsecure temporary files handling. + CVE-2008-3520[2]: Multiple integer overflows. -- Pierre Habouzit Sun, 12 Oct 2008 21:40:59 +0200 jasper (1.900.1-5) unstable; urgency=low * Added GeoJP2 patch by Sven Geggus (Closes: #275619) * debian/control: Standards-Version: 3.8.0 -- Roland Stigge Sun, 08 Jun 2008 13:14:24 +0200 jasper (1.900.1-4) unstable; urgency=low * src/libjasper/jpc/jpc_dec.c: Extended assert() to accept 4 color components (Closes: #469786) * debian/rules: improve "make distclean", thanks to lintian * debian/control: - Standards-Version: 3.7.3 - ${Source-Version} -> ${binary:Version} - Removed self-dependencies of libjasper-dev -- Roland Stigge Sun, 09 Mar 2008 11:53:44 +0100 jasper (1.900.1-3) unstable; urgency=low * Fixed segfaults on broken images (Closes: #413041) -- Roland Stigge Tue, 10 Apr 2007 10:05:10 +0200 jasper (1.900.1-2) experimental; urgency=low * Added jas_tmr.h to -dev package (Closes: #414705) -- Roland Stigge Tue, 13 Mar 2007 14:23:58 +0100 jasper (1.900.1-1) experimental; urgency=low * New upstream release * debian/control: - Standards-Version: 3.7.2 - Build-Depends: freeglut3-dev instead of libglut3-dev (Closes: #394496) * Renamed packages to libjasper1, libjasper-dev, libjasper-runtime according to upstream shared library naming change -- Roland Stigge Fri, 26 Jan 2007 14:22:18 +0100 jasper (1.701.0-2) unstable; urgency=low * Prevent compression of pdf documents in binary packages * Added man pages for the executables (Closes: #250077) * Again renamed binary packages to reflect Policy: - libjasper-1.701-1 - libjasper-1.701-dev (Provides, Replaces and Conflicts: libjasper-dev) - libjasper-runtime -- Roland Stigge Sun, 20 Jun 2004 13:54:10 +0200 jasper (1.701.0-1) unstable; urgency=low * New maintainer (Closes: #217099) * New upstream release (Closes: #217570) - new DFSG-compliant license (Closes: #218999, #245075) - includes newer libtool related files (Closes: #210383) * debian/control: - Standards-Version: 3.6.1 - Changed binary package names, fixed interdependencies (Closes: #211592) libjasper-1.700-2 => libjasper1 libjasper-1.700-2-dev => libjasper-dev libjasper-progs => libjasper-runtime (new packages conflicting and replacing the old ones) - Added libxi-dev, libxmu-dev, libxt-dev to Build-Depends (Closes: #250481) -- Roland Stigge Sat, 19 Jun 2004 23:19:32 +0200 jasper (1.700.2-1) unstable; urgency=low * Initial Release. -- Christopher L Cheney Fri, 22 Aug 2003 01:30:00 -0500