jasper (1.900.1-debian1-2.4ubuntu1.3) xenial-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference
    - debian/patches/CVE-2018-18873.patch: check components for RGB,
      fixes NULL pointer deference in src/libjasper/ras/ras_enc.c.
    - CVE-2018-18873
  * SECURITY UPDATE: Null pointer dereference
    - debian/patches/CVE-2018-19542-and-CVE-2017-9782.patch: fix numchans mixup,
      NULL dereference in src/libjasper/jp2/jp2_dec.c.
    - CVE-2018-19542
    - CVE-2017-9782
  * SECURITY UPDATE: Out of bounds write
    - debian/patches/CVE-2020-27828.patch: avoid maxrlvls more
      than upper bound to cause heap-buffer-overflow in
      src/libjasper/jpc/jpc_enc.c.
    - CVE-2020-27828

 -- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com>  Fri, 08 Jan 2021 11:19:23 -0300

jasper (1.900.1-debian1-2.4ubuntu1.2) xenial-security; urgency=medium

  * SECURITY UPDATE: double-free in jasper_image_stop_load
    - debian/patches/CVE-2015-5203-CVE-2016-9262.patch: fix overflow and
      double free in src/libjasper/base/jas_image.c,
      src/libjasper/include/jasper/jas_math.h.
      (Thanks to Red Hat for the patch!)
    - CVE-2015-5203
  * SECURITY UPDATE: use-after-free in mif_process_cmpt
    - debian/patches/CVE-2015-5221.patch: fix use-after-free in
      src/libjasper/mif/mif_cod.c.
    - CVE-2015-5221
  * SECURITY UPDATE: denial of service in jpc_tsfb_synthesize
    - debian/patches/CVE-2016-10248.patch: fix type promotion and prevent
      null pointer dereference in src/libjasper/include/jasper/jas_seq.h,
      src/libjasper/jpc/jpc_dec.c, src/libjasper/jpc/jpc_tsfb.c.
    - CVE-2016-10248
  * SECURITY UPDATE: denial of service in jp2_colr_destroy
    - debian/patches/CVE-2016-10250.patch: fix cleanup in
      src/libjasper/jp2/jp2_cod.c.
    - CVE-2016-10250
  * SECURITY UPDATE: denial of service in jpc_dec_tiledecode
    - debian/patches/CVE-2016-8883.patch: remove asserts in
      src/libjasper/jpc/jpc_dec.c.
    - CVE-2016-8883
  * SECURITY UPDATE: denial of service in jp2_colr_destroy
    - debian/patches/CVE-2016-8887.patch: don't destroy box that doesn't
      exist in src/libjasper/jp2/jp2_cod.c, src/libjasper/jp2/jp2_dec.c.
    - CVE-2016-8887
  * SECURITY UPDATE: integer overflow in jpc_dec_process_siz
    - debian/patches/CVE-2016-9387-1.patch: fix overflow in
      src/libjasper/jpc/jpc_dec.c.
    - debian/patches/CVE-2016-9387-2.patch: add more checks to
      src/libjasper/jpc/jpc_dec.c.
    - CVE-2016-9387
  * SECURITY UPDATE: denial of service in ras_getcmap
    - debian/patches/CVE-2016-9388.patch: remove assertions in
      src/libjasper/ras/ras_dec.c, src/libjasper/ras/ras_enc.c.
    - CVE-2016-9388
  * SECURITY UPDATE: denial of service in jpc_irct and jpc_iict functions
    - debian/patches/CVE-2016-9389.patch: add check to
      src/libjasper/base/jas_image.c, src/libjasper/jpc/jpc_dec.c,
      src/libjasper/include/jasper/jas_image.h.
    - CVE-2016-9389
  * SECURITY UPDATE: denial of service in jas_seq2d_create
    - debian/patches/CVE-2016-9390.patch: check tiles in
      src/libjasper/jpc/jpc_cs.c.
    - CVE-2016-9390
  * SECURITY UPDATE: denial of service in jpc_bitstream_getbits
    - debian/patches/CVE-2016-9391.patch: add tests to
      src/libjasper/jpc/jpc_bs.c, src/libjasper/jpc/jpc_cs.c.
    - CVE-2016-9391
  * SECURITY UPDATE: multiple denial of service issues
    - debian/patches/CVE-2016-9392-3-4.patch: add more checks to
      src/libjasper/jpc/jpc_cs.c.
    - CVE-2016-9392
    - CVE-2016-9393
    - CVE-2016-9394
  * SECURITY UPDATE: denial of service in JPC_NOMINALGAIN
    - debian/patches/CVE-2016-9396.patch: add check to
      src/libjasper/jpc/jpc_cs.c.
    - CVE-2016-9396
  * SECURITY UPDATE: denial of service via crafted image
    - debian/patches/CVE-2016-9600.patch: add more checks to
      src/libjasper/jp2/jp2_enc.c.
    - CVE-2016-9600
  * SECURITY UPDATE: NULL pointer exception in jp2_encode
    - debian/patches/CVE-2017-1000050.patch: check number of components in
      src/libjasper/jp2/jp2_enc.c.
    - CVE-2017-1000050
  * SECURITY UPDATE: denial of service in jp2_cdef_destroy
    - debian/patches/CVE-2017-6850.patch: initialize data in
      src/libjasper/base/jas_stream.c, src/libjasper/jp2/jp2_cod.c.
    - CVE-2017-6850

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 27 Jun 2018 07:48:44 -0400

jasper (1.900.1-debian1-2.4ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: multiple security issues
    - debian/patches/*: synchronize security fixes with Debian's
      1.900.1-debian1-2.4+deb8u3 release. Thanks!
    - CVE-2016-1867, CVE-2016-2089, CVE-2016-8654, CVE-2016-8691,
      CVE-2016-8692, CVE-2016-8693, CVE-2016-8882, CVE-2016-9560,
      CVE-2016-9591, CVE-2016-10249, CVE-2016-10251

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 18 May 2017 10:37:26 -0400

jasper (1.900.1-debian1-2.4ubuntu1) xenial; urgency=medium

  * SECURITY UPDATE: Denial of service or possible code execution via crafted
    ICC color profile (LP: #1547865)
    - debian/patches/09-CVE-2016-1577.patch: Prevent double-free in
      src/libjasper/base/jas_icc.c
    - CVE-2016-1577
  * SECURITY UPDATE: Denial of service via resource exhaustion via crafted ICC
    color profile
    - debian/patches/10-CVE-2016-2116.patch: Prevent memory leak in
      src/libjasper/base/jas_icc.c
    - CVE-2016-2116

 -- Tyler Hicks <tyhicks@canonical.com>  Wed, 02 Mar 2016 15:30:54 -0600

jasper (1.900.1-debian1-2.4) unstable; urgency=high

  * Non-maintainer upload.
  * Add 07-CVE-2014-8157.patch patch.
    CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot().
    (Closes: #775970)
  * Add 08-CVE-2014-8158.patch patch.
    CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c (Closes: #775970)

 -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 22 Jan 2015 17:09:24 +0100

jasper (1.900.1-debian1-2.3) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Add 05-CVE-2014-8137.patch patch.
    CVE-2014-8137: double-free in in jas_iccattrval_destroy(). (Closes: #773463)
  * Add 06-CVE-2014-8138.patch patch.
    CVE-2014-8138: heap overflow in jp2_decode(). (Closes: #773463)

 -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 20 Dec 2014 08:42:19 +0100

jasper (1.900.1-debian1-2.2) unstable; urgency=high

  * Non-maintainer upload.
  * Add 04-CVE-2014-9029.patch patch.
    CVE-2014-9029: incorrect component number check in COC, RGN and QCC
    marker segment decoders. (Closes: #772036)

 -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 05 Dec 2014 08:39:16 +0100

jasper (1.900.1-debian1-2.1) unstable; urgency=medium

  * Non-maintainer upload (acked by maintainer)
  * Change B-D to libjpeg-dev to finish the transition to libjpeg-turbo
    (Closes: #763475)

 -- Ondřej Surý <ondrej@debian.org>  Mon, 29 Sep 2014 15:25:32 +0200

jasper (1.900.1-debian1-2) unstable; urgency=medium

  * debian/rules: Changed from dh $@ --with autotools_dev to autoreconf
    to fix build issue on new architectures (Closes: #747507)

 -- Roland Stigge <stigge@antcom.de>  Sun, 18 May 2014 19:46:12 +0200

jasper (1.900.1-debian1-1) unstable; urgency=medium

  * Re-packaged upstream tarball without srgb.icm (Closes: #736805)
  * debian/control:
    - Build-Depends: debhelper (>= 9)
    - Standards-Version: 3.9.5

 -- Roland Stigge <stigge@antcom.de>  Sat, 12 Apr 2014 22:38:23 +0200

jasper (1.900.1-14) unstable; urgency=low

  * Fix FTBFS on Hurd by defining PATH_MAX (Closes: #690298)
    Thanks to Pino Toscano!

 -- Roland Stigge <stigge@antcom.de>  Sat, 13 Oct 2012 18:06:57 +0200

jasper (1.900.1-13) unstable; urgency=high

  * Fix CVE-2011-4516 and CVE-2011-4517: Two buffer overflow issues possibly
    exploitable via specially crafted input files (Closes: #652649)
    Thanks to Red Hat and Michael Gilbert

 -- Roland Stigge <stigge@antcom.de>  Wed, 04 Jan 2012 19:14:40 +0100

jasper (1.900.1-12) unstable; urgency=low

  * Added patch to fix filename buffer overflow, thanks to Jonas Smedegard
    and Alex Cherepanov from ghostscript (Closes: #649833)

 -- Roland Stigge <stigge@antcom.de>  Sun, 27 Nov 2011 19:56:01 +0100

jasper (1.900.1-11) unstable; urgency=low

  * Added Multiarch support, thanks to Colin Watson (Closes: #645118)

 -- Roland Stigge <stigge@antcom.de>  Wed, 02 Nov 2011 17:16:10 +0100

jasper (1.900.1-10) unstable; urgency=low

  * Added debian/watch
  * debian/patches/01-misc-fixes.patch:
    - Separated out config.{guess,sub}

 -- Roland Stigge <stigge@antcom.de>  Mon, 15 Aug 2011 19:09:29 +0200

jasper (1.900.1-9) unstable; urgency=low

  * Switch to dpkg-source 3.0 (quilt) format
  * Using new dh 7 build system

 -- Roland Stigge <stigge@antcom.de>  Tue, 12 Jul 2011 20:21:21 +0200

jasper (1.900.1-8) unstable; urgency=low

  * Removed unneeded .la file (Closes: #633162)
  * debian/control:
    - Standards-Version: 3.9.2
    - use libjpeg8-dev instead of libjpeg62-dev

 -- Roland Stigge <stigge@antcom.de>  Mon, 11 Jul 2011 21:27:24 +0200

jasper (1.900.1-7) unstable; urgency=low

  * Acknowledge NMU
  * Added patch to fix Debian patch for CVE-2008-3521 (Closes: #506739)
  * debian/control: Standards-Version: 3.8.4

 -- Roland Stigge <stigge@antcom.de>  Sun, 21 Feb 2010 16:09:45 +0100

jasper (1.900.1-6.1) unstable; urgency=low

  * Non-maintainer upload.
  * This is a fix for the GeoJP2 patch introduced in 1.900.1-5 which caused 
    GDAL faulting. Thanks Even Rouault. (Closes: #553429)

 -- Francesco Paolo Lovergine <frankie@debian.org>  Wed, 28 Oct 2009 09:39:28 +0100

jasper (1.900.1-6) unstable; urgency=low

  * Reverted to jasper 1.900.1-6 because 1.900.1-5.1 messed up (see #528543)
    but 1.900.1-5 wasn't available anymore. (Closes: #514296, #528543)
  * Re-applied patch from #275619 as in 1.900.1-5
  * debian/control: Standards-Version: 3.8.2
  * Applied patch by Nico Golde (Closes: #501021)
     - CVE-2008-3522[0]: Buffer overflow.
     - CVE-2008-3521[1]: unsecure temporary files handling.
     - CVE-2008-3520[2]: Multiple integer overflows.

 -- Roland Stigge <stigge@antcom.de>  Sat, 20 Jun 2009 15:21:16 +0200

jasper (1.900.1-5.1) unstable; urgency=low

  * Non-maintainer upload.
  * add patches/02_security.dpatch to fix various CVEs (Closes: #501021):
     + CVE-2008-3522[0]: Buffer overflow.
     + CVE-2008-3521[1]: unsecure temporary files handling.
     + CVE-2008-3520[2]: Multiple integer overflows.

 -- Pierre Habouzit <madcoder@debian.org>  Sun, 12 Oct 2008 21:40:59 +0200

jasper (1.900.1-5) unstable; urgency=low

  * Added GeoJP2 patch by Sven Geggus <sven.geggus@iitb.fraunhofer.de>
    (Closes: #275619)
  * debian/control: Standards-Version: 3.8.0

 -- Roland Stigge <stigge@antcom.de>  Sun, 08 Jun 2008 13:14:24 +0200

jasper (1.900.1-4) unstable; urgency=low

  * src/libjasper/jpc/jpc_dec.c: Extended assert() to accept 4 color
    components (Closes: #469786)
  * debian/rules: improve "make distclean", thanks to lintian
  * debian/control:
    - Standards-Version: 3.7.3
    - ${Source-Version} -> ${binary:Version}
    - Removed self-dependencies of libjasper-dev

 -- Roland Stigge <stigge@antcom.de>  Sun, 09 Mar 2008 11:53:44 +0100

jasper (1.900.1-3) unstable; urgency=low

  * Fixed segfaults on broken images (Closes: #413041)

 -- Roland Stigge <stigge@antcom.de>  Tue, 10 Apr 2007 10:05:10 +0200

jasper (1.900.1-2) experimental; urgency=low

  * Added jas_tmr.h to -dev package (Closes: #414705)

 -- Roland Stigge <stigge@antcom.de>  Tue, 13 Mar 2007 14:23:58 +0100

jasper (1.900.1-1) experimental; urgency=low

  * New upstream release
  * debian/control:
    - Standards-Version: 3.7.2
    - Build-Depends: freeglut3-dev instead of libglut3-dev (Closes: #394496)
  * Renamed packages to libjasper1, libjasper-dev, libjasper-runtime according
    to upstream shared library naming change

 -- Roland Stigge <stigge@antcom.de>  Fri, 26 Jan 2007 14:22:18 +0100

jasper (1.701.0-2) unstable; urgency=low

  * Prevent compression of pdf documents in binary packages
  * Added man pages for the executables (Closes: #250077)
  * Again renamed binary packages to reflect Policy:
      - libjasper-1.701-1
      - libjasper-1.701-dev (Provides, Replaces and Conflicts: libjasper-dev)
      - libjasper-runtime

 -- Roland Stigge <stigge@antcom.de>  Sun, 20 Jun 2004 13:54:10 +0200

jasper (1.701.0-1) unstable; urgency=low

  * New maintainer (Closes: #217099)
  * New upstream release (Closes: #217570)
      - new DFSG-compliant license (Closes: #218999, #245075)
      - includes newer libtool related files (Closes: #210383)
  * debian/control:
      - Standards-Version: 3.6.1
      - Changed binary package names, fixed interdependencies (Closes: #211592)
          libjasper-1.700-2 => libjasper1
          libjasper-1.700-2-dev => libjasper-dev
          libjasper-progs => libjasper-runtime
        (new packages conflicting and replacing the old ones)
      - Added libxi-dev, libxmu-dev, libxt-dev to Build-Depends
        (Closes: #250481)

 -- Roland Stigge <stigge@antcom.de>  Sat, 19 Jun 2004 23:19:32 +0200

jasper (1.700.2-1) unstable; urgency=low

  * Initial Release.

 -- Christopher L Cheney <ccheney@debian.org>  Fri, 22 Aug 2003 01:30:00 -0500

