Bug 461478 (CVE-2008-3522)
Summary: | CVE-2008-3522 jasper: possible buffer overflow in jas_stream_printf() | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | rdieter, rjones | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | jasper 1.900.2 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-10-28 10:59:30 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 530305 | ||||||
Bug Blocks: | 1167538 | ||||||
Attachments: |
|
Description
Tomas Hoger
2008-09-08 13:30:10 UTC
Created attachment 316079 [details]
OpenBSD patch
netpbm contains an embedded copy of the jasper library for use in jpeg2ktopam and pamtojpeg2k converters. Even though it contains vulnerable version of jas_stream_printf(), that function is not used in netpbm. Parts of the jasper sources that contain a call of jas_stream_printf() that can possibly result in an overflow, are not embedded in the netpbm source. Removing netpbm maintainer from the CC. jasper-1.900.1-13.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/jasper-1.900.1-13.fc11 jasper-1.900.1-13.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/jasper-1.900.1-13.fc10 jasper-1.900.1-13.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/jasper-1.900.1-13.el5 jasper-1.900.1-13.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/jasper-1.900.1-13.el4 jasper-1.900.1-13.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. jasper-1.900.1-13.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. jasper-1.900.1-13.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report. jasper-1.900.1-13.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: RHEV Manager version 3.5 Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html Fix was integrated upstream in version 1.900.2: https://github.com/mdadams/jasper/commit/d678ccd27b8a062e3bfd4c80d8ce2676a8166a27 |