Hi everybody,
I uploaded version 1.900.1-13+deb7u5 of jasper to:
https://people.debian.org/~alteholz/packages/wheezy-lts/jasper/amd64/
Please give it a try and tell me about any problems you met.
As upstream is basically doing only bugfixes now, I would suggest to not
proceed with patching the current version in Wheezy, but uploading the
latest upstream version. Wheezy now has 1.900.1, whereas upstream is at
1.900.31, respectively switched to 2.0.1.
In case of thunderous applause, I would upload the most preferred
version in December, any comments?
Thanks!
Thorsten
* CVE-2016-8691
FPE on unknown address ... jpc_dec_process_siz ... jpc_dec.c
* CVE-2016-8692
FPE on unknown address ... jpc_dec_process_siz ... jpc_dec.c
* CVE-2016-8693
attempting double-free ... mem_close ... jas_stream.c
* CVE-2016-8882
segfault / null pointer access in jpc_pi_destroy
* CVE-2016-9560
stack-based buffer overflow in jpc_tsfb_getbands2 (jpc_tsfb.c)
* CVE-2016-8887 part 1 + 2
NULL pointer dereference in jp2_colr_destroy (jp2_cod.c)
* CVE-2016-8654
Heap-based buffer overflow in QMFB code in JPC codec
* CVE-2016-8883
assert in jpc_dec_tiledecode()
* TEMP-CVE
heap-based buffer overflow in jpc_dec_tiledecode (jpc_dec.c)
