lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 23 Jun 2007 00:40:52 +0530
From: "Debasis Mohanty" <debasis.mohanty.listmails@...il.com>
To: xsecurity@...driva.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [ MDKSA-2007:129 ] - Updated jasper packages
	fix vulnerability

Last month while I was fuzzing an application using Jasper, I got this -

The error message is "Error 500: Request processing failed; nested
exception is net.sf.jasperreports.engine.JRRuntimeException:
net.sf.jasperreports.engine.JRException: Error executing SQL statement
for : FaultEventExceed_FaultsSub1Type1"

though googling didn't help much in finding whether it is a known or
un-known issue, I personally worked with my customer in fixing it at
the application level without touching the package.

Feel free to ping me incase you need additional info.

-d


On 6/20/07, security@...driva.com <security@...driva.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>  _______________________________________________________________________
>
>  Mandriva Linux Security Advisory                         MDKSA-2007:129
>  http://www.mandriva.com/security/
>  _______________________________________________________________________
>
>  Package : jasper
>  Date    : June 19, 2007
>  Affected: 2007.0, 2007.1, Corporate 4.0
>  _______________________________________________________________________
>
>  Problem Description:
>
>  A function in the JasPer JPEG-2000 library before 1.900 could allow
>  a remote user-assisted attack to cause a crash and possibly corrupt
>  the heap via malformed image files.
>
>  Updated packages have been patched to prevent this issue.
>  _______________________________________________________________________
>
>  References:
>
>  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2721
>  _______________________________________________________________________
>
>  Updated Packages:
>
>  Mandriva Linux 2007.0:
>  fc28c38bdaf30d7a0c87a4066bf8bd9f  2007.0/i586/jasper-1.701.0-5.2mdv2007.0.i586.rpm
>  11d3d3624a4c0ffa7b946b1b16060b0d  2007.0/i586/libjasper1.701_1-1.701.0-5.2mdv2007.0.i586.rpm
>  d77cd77558fa6111cf55e0cafb6e11d1  2007.0/i586/libjasper1.701_1-devel-1.701.0-5.2mdv2007.0.i586.rpm
>  4207ac7d0628f908d3d500298949552e  2007.0/i586/libjasper1.701_1-static-devel-1.701.0-5.2mdv2007.0.i586.rpm
>  9403ba210044e473e3e49b73abc3b381  2007.0/SRPMS/jasper-1.701.0-5.2mdv2007.0.src.rpm
>
>  Mandriva Linux 2007.0/X86_64:
>  3eba6fe2596ffee7435c45815c0575b3  2007.0/x86_64/jasper-1.701.0-5.2mdv2007.0.x86_64.rpm
>  536be18741b3a12b2314c95cabd9d122  2007.0/x86_64/lib64jasper1.701_1-1.701.0-5.2mdv2007.0.x86_64.rpm
>  da5b643b80457653cd320fcc7c044366  2007.0/x86_64/lib64jasper1.701_1-devel-1.701.0-5.2mdv2007.0.x86_64.rpm
>  6968049da9a8bce28b725f259078e29e  2007.0/x86_64/lib64jasper1.701_1-static-devel-1.701.0-5.2mdv2007.0.x86_64.rpm
>  9403ba210044e473e3e49b73abc3b381  2007.0/SRPMS/jasper-1.701.0-5.2mdv2007.0.src.rpm
>
>  Mandriva Linux 2007.1:
>  757db1c621e9a62b0c6ddc09939f9b50  2007.1/i586/jasper-1.701.0-6.2mdv2007.1.i586.rpm
>  33534112f73f9a1c3223cac0ad70dcd0  2007.1/i586/libjasper1.701_1-1.701.0-6.2mdv2007.1.i586.rpm
>  9cb7006b790bf88bb947409a196d320f  2007.1/i586/libjasper1.701_1-devel-1.701.0-6.2mdv2007.1.i586.rpm
>  37e418b847f994c430b4e2d015cde7cf  2007.1/i586/libjasper1.701_1-static-devel-1.701.0-6.2mdv2007.1.i586.rpm
>  5dce393b97e5e51dd2ab73a6e1bfc30a  2007.1/SRPMS/jasper-1.701.0-6.2mdv2007.1.src.rpm
>
>  Mandriva Linux 2007.1/X86_64:
>  24e01092b065fa180cd0020c1560c481  2007.1/x86_64/jasper-1.701.0-6.2mdv2007.1.x86_64.rpm
>  4d7e7a3479782ab99da344e958b06c97  2007.1/x86_64/lib64jasper1.701_1-1.701.0-6.2mdv2007.1.x86_64.rpm
>  c05f8a80a9e0be928a148c48ac864299  2007.1/x86_64/lib64jasper1.701_1-devel-1.701.0-6.2mdv2007.1.x86_64.rpm
>  7c30e7642ec228a728b4477ed2c3af02  2007.1/x86_64/lib64jasper1.701_1-static-devel-1.701.0-6.2mdv2007.1.x86_64.rpm
>  5dce393b97e5e51dd2ab73a6e1bfc30a  2007.1/SRPMS/jasper-1.701.0-6.2mdv2007.1.src.rpm
>
>  Corporate 4.0:
>  b7cfcd228def50fdedcb0cd891d0d1ef  corporate/4.0/i586/jasper-1.701.0-3.2.20060mlcs4.i586.rpm
>  613e148bd80a649a94847afaebe5f73f  corporate/4.0/i586/libjasper1.701_1-1.701.0-3.2.20060mlcs4.i586.rpm
>  d87ce97a019a778648214f629ce25979  corporate/4.0/i586/libjasper1.701_1-devel-1.701.0-3.2.20060mlcs4.i586.rpm
>  ba3d7127d42fb47f05956f754b167cb6  corporate/4.0/i586/libjasper1.701_1-static-devel-1.701.0-3.2.20060mlcs4.i586.rpm
>  83f959601bbf25c3cdce83f07009f6a7  corporate/4.0/SRPMS/jasper-1.701.0-3.2.20060mlcs4.src.rpm
>
>  Corporate 4.0/X86_64:
>  263b276f283c81693140adcde9be3ea2  corporate/4.0/x86_64/jasper-1.701.0-3.2.20060mlcs4.x86_64.rpm
>  7fbac34d3f7631ab7b3b244d49530986  corporate/4.0/x86_64/lib64jasper1.701_1-1.701.0-3.2.20060mlcs4.x86_64.rpm
>  ec28b58eb02493bf2d69fbd55fc5b2c2  corporate/4.0/x86_64/lib64jasper1.701_1-devel-1.701.0-3.2.20060mlcs4.x86_64.rpm
>  f8007f65086e970b1dd6f1011bb2c508  corporate/4.0/x86_64/lib64jasper1.701_1-static-devel-1.701.0-3.2.20060mlcs4.x86_64.rpm
>  83f959601bbf25c3cdce83f07009f6a7  corporate/4.0/SRPMS/jasper-1.701.0-3.2.20060mlcs4.src.rpm
>  _______________________________________________________________________
>
>  To upgrade automatically use MandrivaUpdate or urpmi.  The verification
>  of md5 checksums and GPG signatures is performed automatically for you.
>
>  All packages are signed by Mandriva for security.  You can obtain the
>  GPG public key of the Mandriva Security Team by executing:
>
>   gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
>
>  You can view other update advisories for Mandriva Linux at:
>
>   http://www.mandriva.com/security/advisories
>
>  If you want to report vulnerabilities, please contact
>
>   security_(at)_mandriva.com
>  _______________________________________________________________________
>
>  Type Bits/KeyID     Date       User ID
>  pub  1024D/22458A98 2000-07-10 Mandriva Security Team
>   <security*mandriva.com>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
>
> iD8DBQFGeFs3mqjQ0CJFipgRAhe0AKCNKWS3g/iCsSZef2v2Tm5mNyTkKACgtVOK
> IDJ/wsvILZSfZm3p49vUyBg=
> =trW3
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ