1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
|
jasper (1.900.1-debian1-2.5ubuntu24.04.0+8~b) noble; urgency=high
* Remove register instruction.
-- Slávek Banko <slavek.banko@axis.cz> Tue, 16 Apr 2024 00:17:47 +0200
jasper (1.900.1-debian1-2.5ubuntu24.04.0+7~b) noble; urgency=high
* Add missing function prototype.
-- Slávek Banko <slavek.banko@axis.cz> Mon, 15 Apr 2024 16:31:25 +0200
jasper (1.900.1-debian1-2.5debian11.0.0+6~a) bullseye; urgency=high
* As temporary workaround for #812630
package was added to Trinity repository
-- Slávek Banko <slavek.banko@axis.cz> Sat, 15 Jul 2019 16:22:20 +0200
jasper (1.900.1-debian1-2.4+deb8u6) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* Improve CVE-2018-19542.patch: The original fix introduced a regression which
could break support for valid jp2 files.
-- Markus Koschany <apo@debian.org> Sat, 13 Apr 2019 20:36:54 +0200
jasper (1.900.1-debian1-2.4+deb8u5) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* Fix CVE-2018-18873, CVE-2018-19139, CVE-2018-19539, CVE-2018-19540,
CVE-2018-19541, CVE-2018-19542, CVE-2018-20570, CVE-2018-20584 and
CVE-2018-20622.
* Multiple issues were found in the JasPer JPEG-2000 library that could lead
to a denial-of-service (application crash), memory leaks and potentially
the execution of arbitrary code if a malformed image file is processed.
-- Markus Koschany <apo@debian.org> Wed, 02 Jan 2019 22:59:23 +0100
jasper (1.900.1-debian1-2.4+deb8u4) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* Fix CVE-2015-5203:
Gustavo Grieco discovered an integer overflow vulnerability that allows
remote attackers to cause a denial of service or may have other unspecified
impact via a crafted JPEG 2000 image file.
* Fix CVE-2015-5221:
Josselin Feist found a double-free vulnerability that allows remote
attackers to cause a denial-of-service (application crash) by processing a
malformed image file.
* Fix CVE-2016-8690:
Gustavo Grieco discovered a NULL pointer dereference vulnerability that can
cause a denial-of-service via a crafted BMP image file. The update also
includes the fixes for the related issues CVE-2016-8884 and CVE-2016-8885
which complete the patch for CVE-2016-8690.
* Fix CVE-2017-13748:
It was discovered that jasper does not properly release memory used to
store image tile data when image decoding fails which may lead to a
denial-of-service.
* Fix CVE-2017-14132:
A heap-based buffer over-read was found related to the jas_image_ishomosamp
function that could be triggered via a crafted image file and may cause a
denial-of-service (application crash) or have other unspecified impact.
-- Markus Koschany <apo@debian.org> Fri, 16 Nov 2018 18:44:08 +0100
jasper (1.900.1-debian1-2.4+deb8u3) jessie-security; urgency=medium
* CVE-2016-9591 CVE-2016-10249 CVE-2016-10251
-- Moritz Mühlenhoff <jmm@debian.org> Sun, 02 Apr 2017 19:59:44 +0200
jasper (1.900.1-debian1-2.4+deb8u2) jessie-security; urgency=medium
* CVE-2016-1867 CVE-2016-8654 CVE-2016-8691 CVE-2016-8692
CVE-2016-8693 CVE-2016-8882 CVE-2016-9560
-- Moritz Mühlenhoff <jmm@debian.org> Tue, 07 Feb 2017 22:49:13 +0100
jasper (1.900.1-debian1-2.4+deb8u1) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy()
(Closes: #816625)
* CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip()
(Closes: #812978)
* CVE-2016-2116: Prevent jas_stream_t memory leak in
jas_iccprof_createfrombuf() (Closes: #816626)
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 06 Mar 2016 14:49:44 +0100
jasper (1.900.1-debian1-2.4) unstable; urgency=high
* Non-maintainer upload.
* Add 07-CVE-2014-8157.patch patch.
CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot().
(Closes: #775970)
* Add 08-CVE-2014-8158.patch patch.
CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c (Closes: #775970)
-- Salvatore Bonaccorso <carnil@debian.org> Thu, 22 Jan 2015 17:09:24 +0100
jasper (1.900.1-debian1-2.3) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Add 05-CVE-2014-8137.patch patch.
CVE-2014-8137: double-free in in jas_iccattrval_destroy(). (Closes: #773463)
* Add 06-CVE-2014-8138.patch patch.
CVE-2014-8138: heap overflow in jp2_decode(). (Closes: #773463)
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 20 Dec 2014 08:42:19 +0100
jasper (1.900.1-debian1-2.2) unstable; urgency=high
* Non-maintainer upload.
* Add 04-CVE-2014-9029.patch patch.
CVE-2014-9029: incorrect component number check in COC, RGN and QCC
marker segment decoders. (Closes: #772036)
-- Salvatore Bonaccorso <carnil@debian.org> Fri, 05 Dec 2014 08:39:16 +0100
jasper (1.900.1-debian1-2.1) unstable; urgency=medium
* Non-maintainer upload (acked by maintainer)
* Change B-D to libjpeg-dev to finish the transition to libjpeg-turbo
(Closes: #763475)
-- Ondřej Surý <ondrej@debian.org> Mon, 29 Sep 2014 15:25:32 +0200
jasper (1.900.1-debian1-2) unstable; urgency=medium
* debian/rules: Changed from dh $@ --with autotools_dev to autoreconf
to fix build issue on new architectures (Closes: #747507)
-- Roland Stigge <stigge@antcom.de> Sun, 18 May 2014 19:46:12 +0200
jasper (1.900.1-debian1-1) unstable; urgency=medium
* Re-packaged upstream tarball without srgb.icm (Closes: #736805)
* debian/control:
- Build-Depends: debhelper (>= 9)
- Standards-Version: 3.9.5
-- Roland Stigge <stigge@antcom.de> Sat, 12 Apr 2014 22:38:23 +0200
jasper (1.900.1-14) unstable; urgency=low
* Fix FTBFS on Hurd by defining PATH_MAX (Closes: #690298)
Thanks to Pino Toscano!
-- Roland Stigge <stigge@antcom.de> Sat, 13 Oct 2012 18:06:57 +0200
jasper (1.900.1-13) unstable; urgency=high
* Fix CVE-2011-4516 and CVE-2011-4517: Two buffer overflow issues possibly
exploitable via specially crafted input files (Closes: #652649)
Thanks to Red Hat and Michael Gilbert
-- Roland Stigge <stigge@antcom.de> Wed, 04 Jan 2012 19:14:40 +0100
jasper (1.900.1-12) unstable; urgency=low
* Added patch to fix filename buffer overflow, thanks to Jonas Smedegard
and Alex Cherepanov from ghostscript (Closes: #649833)
-- Roland Stigge <stigge@antcom.de> Sun, 27 Nov 2011 19:56:01 +0100
jasper (1.900.1-11) unstable; urgency=low
* Added Multiarch support, thanks to Colin Watson (Closes: #645118)
-- Roland Stigge <stigge@antcom.de> Wed, 02 Nov 2011 17:16:10 +0100
jasper (1.900.1-10) unstable; urgency=low
* Added debian/watch
* debian/patches/01-misc-fixes.patch:
- Separated out config.{guess,sub}
-- Roland Stigge <stigge@antcom.de> Mon, 15 Aug 2011 19:09:29 +0200
jasper (1.900.1-9) unstable; urgency=low
* Switch to dpkg-source 3.0 (quilt) format
* Using new dh 7 build system
-- Roland Stigge <stigge@antcom.de> Tue, 12 Jul 2011 20:21:21 +0200
jasper (1.900.1-8) unstable; urgency=low
* Removed unneeded .la file (Closes: #633162)
* debian/control:
- Standards-Version: 3.9.2
- use libjpeg8-dev instead of libjpeg62-dev
-- Roland Stigge <stigge@antcom.de> Mon, 11 Jul 2011 21:27:24 +0200
jasper (1.900.1-7) unstable; urgency=low
* Acknowledge NMU
* Added patch to fix Debian patch for CVE-2008-3521 (Closes: #506739)
* debian/control: Standards-Version: 3.8.4
-- Roland Stigge <stigge@antcom.de> Sun, 21 Feb 2010 16:09:45 +0100
jasper (1.900.1-6.1) unstable; urgency=low
* Non-maintainer upload.
* This is a fix for the GeoJP2 patch introduced in 1.900.1-5 which caused
GDAL faulting. Thanks Even Rouault. (Closes: #553429)
-- Francesco Paolo Lovergine <frankie@debian.org> Wed, 28 Oct 2009 09:39:28 +0100
jasper (1.900.1-6) unstable; urgency=low
* Reverted to jasper 1.900.1-6 because 1.900.1-5.1 messed up (see #528543)
but 1.900.1-5 wasn't available anymore. (Closes: #514296, #528543)
* Re-applied patch from #275619 as in 1.900.1-5
* debian/control: Standards-Version: 3.8.2
* Applied patch by Nico Golde (Closes: #501021)
- CVE-2008-3522[0]: Buffer overflow.
- CVE-2008-3521[1]: unsecure temporary files handling.
- CVE-2008-3520[2]: Multiple integer overflows.
-- Roland Stigge <stigge@antcom.de> Sat, 20 Jun 2009 15:21:16 +0200
jasper (1.900.1-5.1) unstable; urgency=low
* Non-maintainer upload.
* add patches/02_security.dpatch to fix various CVEs (Closes: #501021):
+ CVE-2008-3522[0]: Buffer overflow.
+ CVE-2008-3521[1]: unsecure temporary files handling.
+ CVE-2008-3520[2]: Multiple integer overflows.
-- Pierre Habouzit <madcoder@debian.org> Sun, 12 Oct 2008 21:40:59 +0200
jasper (1.900.1-5) unstable; urgency=low
* Added GeoJP2 patch by Sven Geggus <sven.geggus@iitb.fraunhofer.de>
(Closes: #275619)
* debian/control: Standards-Version: 3.8.0
-- Roland Stigge <stigge@antcom.de> Sun, 08 Jun 2008 13:14:24 +0200
jasper (1.900.1-4) unstable; urgency=low
* src/libjasper/jpc/jpc_dec.c: Extended assert() to accept 4 color
components (Closes: #469786)
* debian/rules: improve "make distclean", thanks to lintian
* debian/control:
- Standards-Version: 3.7.3
- ${Source-Version} -> ${binary:Version}
- Removed self-dependencies of libjasper-dev
-- Roland Stigge <stigge@antcom.de> Sun, 09 Mar 2008 11:53:44 +0100
jasper (1.900.1-3) unstable; urgency=low
* Fixed segfaults on broken images (Closes: #413041)
-- Roland Stigge <stigge@antcom.de> Tue, 10 Apr 2007 10:05:10 +0200
jasper (1.900.1-2) experimental; urgency=low
* Added jas_tmr.h to -dev package (Closes: #414705)
-- Roland Stigge <stigge@antcom.de> Tue, 13 Mar 2007 14:23:58 +0100
jasper (1.900.1-1) experimental; urgency=low
* New upstream release
* debian/control:
- Standards-Version: 3.7.2
- Build-Depends: freeglut3-dev instead of libglut3-dev (Closes: #394496)
* Renamed packages to libjasper1, libjasper-dev, libjasper-runtime according
to upstream shared library naming change
-- Roland Stigge <stigge@antcom.de> Fri, 26 Jan 2007 14:22:18 +0100
jasper (1.701.0-2) unstable; urgency=low
* Prevent compression of pdf documents in binary packages
* Added man pages for the executables (Closes: #250077)
* Again renamed binary packages to reflect Policy:
- libjasper-1.701-1
- libjasper-1.701-dev (Provides, Replaces and Conflicts: libjasper-dev)
- libjasper-runtime
-- Roland Stigge <stigge@antcom.de> Sun, 20 Jun 2004 13:54:10 +0200
jasper (1.701.0-1) unstable; urgency=low
* New maintainer (Closes: #217099)
* New upstream release (Closes: #217570)
- new DFSG-compliant license (Closes: #218999, #245075)
- includes newer libtool related files (Closes: #210383)
* debian/control:
- Standards-Version: 3.6.1
- Changed binary package names, fixed interdependencies (Closes: #211592)
libjasper-1.700-2 => libjasper1
libjasper-1.700-2-dev => libjasper-dev
libjasper-progs => libjasper-runtime
(new packages conflicting and replacing the old ones)
- Added libxi-dev, libxmu-dev, libxt-dev to Build-Depends
(Closes: #250481)
-- Roland Stigge <stigge@antcom.de> Sat, 19 Jun 2004 23:19:32 +0200
jasper (1.700.2-1) unstable; urgency=low
* Initial Release.
-- Christopher L Cheney <ccheney@debian.org> Fri, 22 Aug 2003 01:30:00 -0500
|
