security flaws in jasper (CVE-2015-5203, CVE-2015-5221)
Curtis Villamizar
curtis at ipv6.occnc.com
Thu Aug 27 16:32:58 UTC 2015
Michael, Maxim,
Any chance of fixing these two bugs?
A fix for CVE-2015-5203 was proposed. See
http://seclists.org/oss-sec/2015/q3/416
Diffs are at
http://sf.net/projects/mancha/files/sec/jasper-1.900.1_CVE-2015-5203.diff
though I don't know if these diffs fix anything.
The second bug is described at http://seclists.org/oss-sec/2015/q3/408
where a few means of fixing the bug are described but no diffs given.
There is some brief information at
http://vuxml.freebsd.org/freebsd/f1692469-45ce-11e5-adde-14dae9d210b8.html
which is where I ran into this.
Both firefox and chromium use the graphics/gdk-pixbuf2 port which
usually includes jasper, but can be configured out. Netpbm also uses
jasper which affects a few other ports and can't be configured out.
Other ports are likely to be affected. I just looked at ports I
regularly build and use.
Curtis
More information about the freebsd-ports
mailing list