jasper: mark as vulnerable #73586
Merged
jasper: mark as vulnerable #73586
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It is unused since v2.2.6 (2016) https://sourceforge.net/p/saga-gis/bugs/224/
jasper has several unfixed CVE and seems unmaintained Upstream open bug to replace it with OpenJPEG is: https://bugs.kde.org/show_bug.cgi?id=364231
jasper has unfixed CVE
Unused since: xbmc/xbmc@424c513
c0bw3b
added
1.severity: security
|
@GrahamcOfBorg build saga digikam k2pdfopt kodiPlain gdk-pixbuf grib-api libicns libraw openscenegraph |
|
I ran $ nix-review pr 73586 -p saga -p digikam -p k2pdfopt -p kodiPlain -p gdk-pixbuf -p grib-api -p libicns -p libraw -p openscenegraphResult of 1 package failed to build:
8 package were build:
I can't build digikam and all qt deps because of: builder for '/nix/store/43ylb9dr5prgrpd2kqybdjns21clab4j-extra-cmake-modules-5.62.0.drv' failed with exit code 1; last 1 log lines:
/nix/store/a49q0qlf6yb1ldv9xivzg2krj706pwlq-hook/nix-support/setup-hook: line 2: qtWrapperArgs: unbound variablewhich seems unrelated to these changes. |
jtojnar
reviewed
Nov 19, 2019
Mic92
approved these changes
Nov 19, 2019
|
That one might help to fix qt: diff --git a/pkgs/development/libraries/kde-frameworks/extra-cmake-modules/setup-hook.sh b/pkgs/development/libraries/kde-frameworks/extra-cmake-modules/setup-hook.sh
index 35982e86628..0ad185a16eb 100644
--- a/pkgs/development/libraries/kde-frameworks/extra-cmake-modules/setup-hook.sh
+++ b/pkgs/development/libraries/kde-frameworks/extra-cmake-modules/setup-hook.sh
@@ -77,6 +77,8 @@ ecmUnseenHostPath() {
ecmHostPathHook() {
ecmUnseenHostPath "$1" || return 0
+ declare -a qtWrapperArgs
+
local xdgConfigDir="$1/etc/xdg"
if [ -d "$xdgConfigDir" ]
then |
jasper has unfixed CVE Upstream has no plan to switch to openjpeg AFAICT
jtojnar
reviewed
Nov 19, 2019
1 task
jasper has many security issues and it's only used for some old Redcine cameras. See: LibRaw/LibRaw#69
jasper has many unfixed CVEs, upstream disable its use by default opencv/opencv#14058
Many memory issues remain unfixed or partially fixed: CVE-2018-18873 CVE-2018-19539 CVE-2018-19540 CVE-2018-19541 CVE-2018-9252 CVE-2018-19542 CVE-2018-19543 CVE-2018-20570 CVE-2018-20584 CVE-2018-20622 CVE-2018-9252 Debian/Ubuntu, OpenSuSE and Gentoo removed it entirely. See: jasper-software/jasper#208
|
Call for feedback: Could please someone else confirm who's regularly working with these programs? I think it's a good but also bold move. |
|
@c0bw3b I'd also suggest squashing all of the commits into one. |
Which ones? Only For other software touched in this PR, JPEG2000 support is an optional and mostly anecdotal feature.
Debian/Ubuntu took it out in 2016 and it hasn't lead to an outcry.
I'd rather keep them separate here, as it's not the same "logical" change applied to each package. |
jtojnar
approved these changes
Nov 23, 2019
10 tasks
|
This seems to have broken That is just weird as jasper did not propagate anything other than libjpeg, which is already a dependency of gdk-pixbuf. That should have no bearing on MIME sniffing. |
|
Not even a MIME issue. With 9aa6232, the |
jtojnar
added a commit
to jtojnar/nixpkgs
that referenced
this pull request
Dec 1, 2019
b78e840 tried to make the script better but used the wrong test syntax: [[ 113 > 99 ]] is false. This caused the librsvg not being added to $GDK_PIXBUF_MODULE_FILE. Fixes: NixOS#73586 (comment)
10 tasks
d-goldin
added a commit
to d-goldin/nixpkgs
that referenced
this pull request
Dec 1, 2019
Jasper has been recently marked as insecure and removed from a bunch of places due to some known vulnerabilities and upstream not moving forward. This was done in NixOS#73586 This prevents gegl_0_4 from building, as jasper is a runtime dependency per default. There is an upstream issue for that, but it does not seem to have made progress yet: https://gitlab.gnome.org/GNOME/gegl/issues/35
FRidh
pushed a commit
that referenced
this pull request
Dec 1, 2019
b78e840 tried to make the script better but used the wrong test syntax: [[ 113 > 99 ]] is false. This caused the librsvg not being added to $GDK_PIXBUF_MODULE_FILE. Fixes: #73586 (comment)
dtzWill
pushed a commit
to dtzWill/nixpkgs
that referenced
this pull request
Jan 24, 2020
Jasper has been recently marked as insecure and removed from a bunch of places due to some known vulnerabilities and upstream not moving forward. This was done in NixOS#73586 This prevents gegl_0_4 from building, as jasper is a runtime dependency per default. There is an upstream issue for that, but it does not seem to have made progress yet: https://gitlab.gnome.org/GNOME/gegl/issues/35 (cherry picked from commit c9841ed)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
The JPEG2000 library
jasperhas many unfixed CVEs. See previous discussion in #57681Vuln roundups: #57148, #55388 and many more before. Also Debian sec tracker for it.
v2.0.16 could have fixed a small subset of known CVEs but many are still open and upstream seems dead. At this point, Debian/Ubuntu, Gentoo and NetBSD removed
jasperentirely. OpenSuSE should do it too.An upstream issue by an OpenSuSE maintainer sums up the situation. On DigiKam bug tracker an interested party also shared informations showing that
jasperis barely on life support.So I replaced
jasperwithopenjpegwhenever possible, otherwise I disabled JPEG2000 support by default.OpenCV situation is a little bit different because it disables jasper by default (since 3.4.6/4.1.0) and requires a deliberate runtime option to use it. See opencv/opencv#14058
But since
jasperwill fail to eval because ofmeta.knownVulnerabilitiesit will prevent opencv from building.Will turn it off by default in opencv too tomorrowDoneI don't think we will need to backport this given that open CVEs in jasper are mostly memory mgmt issues (low to medium severity) and that exploitability remains unknown.
But this goes in the direction of deprecating
jasper. Hopefully by the time we release 20.03 digikam, gdk-pixbuf & co would have switched to using openjpeg instead.Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)Notify maintainers
cc @pSub @andir