Security issues for jasper

To: Salvatore Bonaccorso <carnil@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Security issues for jasper
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 17 Jan 2016 00:14:47 +0000
Message-id: <[🔎] 1452989687.2519.16.camel@decadent.org.uk>

jasper has a number of unfixed CVEs:

CVE-2016-1867
CVE-2015-5221
CVE-2015-5203

all of which were marked <no-dsa> for wheezy and jessie.  I understand
this for CVE-2016-1867 as that's only an out-of-bounds read, but the
other two are double-frees that I would expect to be usable for code
execution.  Am I missing something?

Ben.

-- 
Ben Hutchings
Theory and practice are closer in theory than in practice.
                                - John Levine, moderator of comp.compilers

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Prev by Date: Re: isc-dhcp-server in squeeze-lst broken after update
Next by Date: Re: Re: isc-dhcp-server in squeeze-lst broken after update
Previous by thread: Re: Fwd: [SECURITY] [DLA 381-1] dbconfig-common security update
Next by thread: squeeze update of radicale?
Index(es):
- Date
- Thread