security flaws in jasper (CVE-2015-5203, CVE-2015-5221)
curtis at ipv6.occnc.com
Thu Aug 27 16:32:58 UTC 2015
Any chance of fixing these two bugs?
A fix for CVE-2015-5203 was proposed. See
Diffs are at
though I don't know if these diffs fix anything.
The second bug is described at http://seclists.org/oss-sec/2015/q3/408
where a few means of fixing the bug are described but no diffs given.
There is some brief information at
which is where I ran into this.
Both firefox and chromium use the graphics/gdk-pixbuf2 port which
usually includes jasper, but can be configured out. Netpbm also uses
jasper which affects a few other ports and can't be configured out.
Other ports are likely to be affected. I just looked at ports I
regularly build and use.
More information about the freebsd-ports