Description of problem:
Previously netpbm-progs used linked jasper library from the system which is watched for security. Current rhel-8 version uses built in implementation containing security flaws.
This was fortunately revealed by failing
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. ldd /usr/bin/jpeg2ktopam
^ This might affect other inaries from the package.
libnetpbm.so.11 => /lib64/libnetpbm.so.11 (0x00007f9bf18d3000)
libm.so.6 => /lib64/libm.so.6 (0x00007f9bf1551000)
libc.so.6 => /lib64/libc.so.6 (0x00007f9bf118d000)
use shared libjasper.so
AFAICS, we regressed from using system to bundled jasper via the following change in Fedora:
That's a rebase of netpbm to version 10.75.99. There's no mention in the commit to explain why we stopped using system jasper.
However, I see that we rebased netpbm to version 10.79.00 (i.e. newer than the one in the above Fedora commit) in Red Hat Enterprise Linux 7.5, while still keeping the use of system jasper. That makes me assume there's either no hard requirement to use bundled jasper 10.75.99 and later, or that if there was a reason, it disappeared until 10.79.00. Fedora has also been using jasper 1.900.1 until late 2016, so newer system jasper can not be a reason for the above change done in mid-2016.
There's another bundled library - jbigkit - as hinted by this bug report and declared in the bundled provides:
The bug 1395716 comment 1 indicates we asked upstream about those bundled libs, but there's no further information if we got any response or what that response was.
AFAICS, netpbm bundles current jbigkit 2.1 (JBG_VERSION in the bundled jbig.h says so), which matches the system jbigkit version. We should look into unbundling this library as well.
*** Bug 1651851 has been marked as a duplicate of this bug. ***
Solution prepared. Need release + flag. Who can provide it?