[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <bb5da2a80706221210u642de95bk7ca487471b284e14@mail.gmail.com>
Date: Sat, 23 Jun 2007 00:40:52 +0530
From: "Debasis Mohanty" <debasis.mohanty.listmails@...il.com>
To: xsecurity@...driva.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [ MDKSA-2007:129 ] - Updated jasper packages
fix vulnerability
Last month while I was fuzzing an application using Jasper, I got this -
The error message is "Error 500: Request processing failed; nested
exception is net.sf.jasperreports.engine.JRRuntimeException:
net.sf.jasperreports.engine.JRException: Error executing SQL statement
for : FaultEventExceed_FaultsSub1Type1"
though googling didn't help much in finding whether it is a known or
un-known issue, I personally worked with my customer in fixing it at
the application level without touching the package.
Feel free to ping me incase you need additional info.
-d
On 6/20/07, security@...driva.com <security@...driva.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> _______________________________________________________________________
>
> Mandriva Linux Security Advisory MDKSA-2007:129
> http://www.mandriva.com/security/
> _______________________________________________________________________
>
> Package : jasper
> Date : June 19, 2007
> Affected: 2007.0, 2007.1, Corporate 4.0
> _______________________________________________________________________
>
> Problem Description:
>
> A function in the JasPer JPEG-2000 library before 1.900 could allow
> a remote user-assisted attack to cause a crash and possibly corrupt
> the heap via malformed image files.
>
> Updated packages have been patched to prevent this issue.
> _______________________________________________________________________
>
> References:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2721
> _______________________________________________________________________
>
> Updated Packages:
>
> Mandriva Linux 2007.0:
> fc28c38bdaf30d7a0c87a4066bf8bd9f 2007.0/i586/jasper-1.701.0-5.2mdv2007.0.i586.rpm
> 11d3d3624a4c0ffa7b946b1b16060b0d 2007.0/i586/libjasper1.701_1-1.701.0-5.2mdv2007.0.i586.rpm
> d77cd77558fa6111cf55e0cafb6e11d1 2007.0/i586/libjasper1.701_1-devel-1.701.0-5.2mdv2007.0.i586.rpm
> 4207ac7d0628f908d3d500298949552e 2007.0/i586/libjasper1.701_1-static-devel-1.701.0-5.2mdv2007.0.i586.rpm
> 9403ba210044e473e3e49b73abc3b381 2007.0/SRPMS/jasper-1.701.0-5.2mdv2007.0.src.rpm
>
> Mandriva Linux 2007.0/X86_64:
> 3eba6fe2596ffee7435c45815c0575b3 2007.0/x86_64/jasper-1.701.0-5.2mdv2007.0.x86_64.rpm
> 536be18741b3a12b2314c95cabd9d122 2007.0/x86_64/lib64jasper1.701_1-1.701.0-5.2mdv2007.0.x86_64.rpm
> da5b643b80457653cd320fcc7c044366 2007.0/x86_64/lib64jasper1.701_1-devel-1.701.0-5.2mdv2007.0.x86_64.rpm
> 6968049da9a8bce28b725f259078e29e 2007.0/x86_64/lib64jasper1.701_1-static-devel-1.701.0-5.2mdv2007.0.x86_64.rpm
> 9403ba210044e473e3e49b73abc3b381 2007.0/SRPMS/jasper-1.701.0-5.2mdv2007.0.src.rpm
>
> Mandriva Linux 2007.1:
> 757db1c621e9a62b0c6ddc09939f9b50 2007.1/i586/jasper-1.701.0-6.2mdv2007.1.i586.rpm
> 33534112f73f9a1c3223cac0ad70dcd0 2007.1/i586/libjasper1.701_1-1.701.0-6.2mdv2007.1.i586.rpm
> 9cb7006b790bf88bb947409a196d320f 2007.1/i586/libjasper1.701_1-devel-1.701.0-6.2mdv2007.1.i586.rpm
> 37e418b847f994c430b4e2d015cde7cf 2007.1/i586/libjasper1.701_1-static-devel-1.701.0-6.2mdv2007.1.i586.rpm
> 5dce393b97e5e51dd2ab73a6e1bfc30a 2007.1/SRPMS/jasper-1.701.0-6.2mdv2007.1.src.rpm
>
> Mandriva Linux 2007.1/X86_64:
> 24e01092b065fa180cd0020c1560c481 2007.1/x86_64/jasper-1.701.0-6.2mdv2007.1.x86_64.rpm
> 4d7e7a3479782ab99da344e958b06c97 2007.1/x86_64/lib64jasper1.701_1-1.701.0-6.2mdv2007.1.x86_64.rpm
> c05f8a80a9e0be928a148c48ac864299 2007.1/x86_64/lib64jasper1.701_1-devel-1.701.0-6.2mdv2007.1.x86_64.rpm
> 7c30e7642ec228a728b4477ed2c3af02 2007.1/x86_64/lib64jasper1.701_1-static-devel-1.701.0-6.2mdv2007.1.x86_64.rpm
> 5dce393b97e5e51dd2ab73a6e1bfc30a 2007.1/SRPMS/jasper-1.701.0-6.2mdv2007.1.src.rpm
>
> Corporate 4.0:
> b7cfcd228def50fdedcb0cd891d0d1ef corporate/4.0/i586/jasper-1.701.0-3.2.20060mlcs4.i586.rpm
> 613e148bd80a649a94847afaebe5f73f corporate/4.0/i586/libjasper1.701_1-1.701.0-3.2.20060mlcs4.i586.rpm
> d87ce97a019a778648214f629ce25979 corporate/4.0/i586/libjasper1.701_1-devel-1.701.0-3.2.20060mlcs4.i586.rpm
> ba3d7127d42fb47f05956f754b167cb6 corporate/4.0/i586/libjasper1.701_1-static-devel-1.701.0-3.2.20060mlcs4.i586.rpm
> 83f959601bbf25c3cdce83f07009f6a7 corporate/4.0/SRPMS/jasper-1.701.0-3.2.20060mlcs4.src.rpm
>
> Corporate 4.0/X86_64:
> 263b276f283c81693140adcde9be3ea2 corporate/4.0/x86_64/jasper-1.701.0-3.2.20060mlcs4.x86_64.rpm
> 7fbac34d3f7631ab7b3b244d49530986 corporate/4.0/x86_64/lib64jasper1.701_1-1.701.0-3.2.20060mlcs4.x86_64.rpm
> ec28b58eb02493bf2d69fbd55fc5b2c2 corporate/4.0/x86_64/lib64jasper1.701_1-devel-1.701.0-3.2.20060mlcs4.x86_64.rpm
> f8007f65086e970b1dd6f1011bb2c508 corporate/4.0/x86_64/lib64jasper1.701_1-static-devel-1.701.0-3.2.20060mlcs4.x86_64.rpm
> 83f959601bbf25c3cdce83f07009f6a7 corporate/4.0/SRPMS/jasper-1.701.0-3.2.20060mlcs4.src.rpm
> _______________________________________________________________________
>
> To upgrade automatically use MandrivaUpdate or urpmi. The verification
> of md5 checksums and GPG signatures is performed automatically for you.
>
> All packages are signed by Mandriva for security. You can obtain the
> GPG public key of the Mandriva Security Team by executing:
>
> gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
>
> You can view other update advisories for Mandriva Linux at:
>
> http://www.mandriva.com/security/advisories
>
> If you want to report vulnerabilities, please contact
>
> security_(at)_mandriva.com
> _______________________________________________________________________
>
> Type Bits/KeyID Date User ID
> pub 1024D/22458A98 2000-07-10 Mandriva Security Team
> <security*mandriva.com>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
>
> iD8DBQFGeFs3mqjQ0CJFipgRAhe0AKCNKWS3g/iCsSZef2v2Tm5mNyTkKACgtVOK
> IDJ/wsvILZSfZm3p49vUyBg=
> =trW3
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists