pkg audit reports multiple vulnerabilities: jasper-1.900.1_14 is vulnerable: jasper -- multiple vulnerabilities CVE: CVE-2015-5221 CVE: CVE-2015-5203 WWW: https://vuxml.FreeBSD.org/freebsd/f1692469-45ce-11e5-adde-14dae9d210b8.html I believe OpenBSD already tackled this.
no patches in OpenBSD Repo: http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/graphics/jasper/patches/
A commit references this bug: Author: dinoex Date: Sat Feb 20 13:34:12 UTC 2016 New revision: 409237 URL: https://svnweb.freebsd.org/changeset/ports/409237 Log: - make option UUID default - fix double-free in in jas_iccattrval_destroy() Obtained from: RedHat Security: CVE-2014-8137 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1173157 - fix heap overflow in jp2_decode() Obtained from: RedHat Security: CVE-2014-8138 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1173162 - dec->numtiles off-by-one check in jpc_dec_process_sot() Obtained from: RedHat, Fedora Security: CVE-2014-8157 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1179282 - multiple stack-based buffer overflows Obtained from: RedHat, Fedora Security: CVE-2014-8158 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1179282 - fix Heap overflows in libjasper Obtained from: RedHat Security: CVE-2014-9029 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1167537 - fix Use-after-free (and double-free) Security: CVE-2015-5221 Security: http://www.openwall.com/lists/oss-security/2015/08/20/4 PR: 203504 - patch (rows_ NULL check) Obtained from: RedHat Security: CVE-2016-2089 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1302636 Changes: head/graphics/jasper/Makefile head/graphics/jasper/files/patch-jas_icc.c head/graphics/jasper/files/patch-jas_image.c head/graphics/jasper/files/patch-jas_seq.c head/graphics/jasper/files/patch-jas_types.h head/graphics/jasper/files/patch-jp2_cod.c head/graphics/jasper/files/patch-jp2_dec.c head/graphics/jasper/files/patch-jp2_enc.c head/graphics/jasper/files/patch-jpc_dec.c head/graphics/jasper/files/patch-jpc_qmfb.c head/graphics/jasper/files/patch-mif_cod.c
A commit references this bug: Author: feld Date: Wed Feb 24 20:22:25 UTC 2016 New revision: 409480 URL: https://svnweb.freebsd.org/changeset/ports/409480 Log: MFH: r409237 - make option UUID default - fix double-free in in jas_iccattrval_destroy() Obtained from: RedHat Security: CVE-2014-8137 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1173157 - fix heap overflow in jp2_decode() Obtained from: RedHat Security: CVE-2014-8138 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1173162 - dec->numtiles off-by-one check in jpc_dec_process_sot() Obtained from: RedHat, Fedora Security: CVE-2014-8157 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1179282 - multiple stack-based buffer overflows Obtained from: RedHat, Fedora Security: CVE-2014-8158 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1179282 - fix Heap overflows in libjasper Obtained from: RedHat Security: CVE-2014-9029 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1167537 - fix Use-after-free (and double-free) Security: CVE-2015-5221 Security: http://www.openwall.com/lists/oss-security/2015/08/20/4 PR: 203504 - patch (rows_ NULL check) Obtained from: RedHat Security: CVE-2016-2089 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1302636 Approved by: ports-secteam (with hat) Changes: _U branches/2016Q1/ branches/2016Q1/graphics/jasper/Makefile branches/2016Q1/graphics/jasper/files/patch-jas_icc.c branches/2016Q1/graphics/jasper/files/patch-jas_image.c branches/2016Q1/graphics/jasper/files/patch-jas_seq.c branches/2016Q1/graphics/jasper/files/patch-jas_types.h branches/2016Q1/graphics/jasper/files/patch-jp2_cod.c branches/2016Q1/graphics/jasper/files/patch-jp2_dec.c branches/2016Q1/graphics/jasper/files/patch-jp2_enc.c branches/2016Q1/graphics/jasper/files/patch-jpc_dec.c branches/2016Q1/graphics/jasper/files/patch-jpc_qmfb.c branches/2016Q1/graphics/jasper/files/patch-mif_cod.c