Date: Thu, 27 Aug 2015 12:18:03 -0400 From: Curtis Villamizar <curtis@ipv6.occnc.com> To: Michael Adams <mdadams@ece.uvic.ca>, Maxim Sobolev <sobomax@FreeBSD.org>, freebsd-ports@freebsd.org Cc: curtis@ipv6.occnc.com Subject: security flaws in jasper (CVE-2015-5203, CVE-2015-5221) Message-ID: <201508271618.t7RGI3OP026534@maildrop31.somerville.occnc.com>
next in thread | raw e-mail | index | archive | help
Michael, Maxim, Any chance of fixing these two bugs? A fix for CVE-2015-5203 was proposed. See http://seclists.org/oss-sec/2015/q3/416 Diffs are at http://sf.net/projects/mancha/files/sec/jasper-1.900.1_CVE-2015-5203.diff though I don't know if these diffs fix anything. The second bug is described at http://seclists.org/oss-sec/2015/q3/408 where a few means of fixing the bug are described but no diffs given. There is some brief information at http://vuxml.freebsd.org/freebsd/f1692469-45ce-11e5-adde-14dae9d210b8.html which is where I ran into this. Both firefox and chromium use the graphics/gdk-pixbuf2 port which usually includes jasper, but can be configured out. Netpbm also uses jasper which affects a few other ports and can't be configured out. Other ports are likely to be affected. I just looked at ports I regularly build and use. Curtis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508271618.t7RGI3OP026534>