Related: #1396986 - fix CVE-2016-9396

jasper-2.0.14-CVE-2016-9396.patch

@@ -0,0 +1,13 @@
+diff -urNp old/src/libjasper/jpc/jpc_cs.c new/src/libjasper/jpc/jpc_cs.c
+--- old/src/libjasper/jpc/jpc_cs.c	2018-05-30 09:01:54.160406645 +0200
++++ new/src/libjasper/jpc/jpc_cs.c	2018-05-30 09:05:24.527094308 +0200
+@@ -795,6 +795,9 @@ static int jpc_cox_getcompparms(jpc_ms_t
+ 	if (compparms->numdlvls > 32) {
+ 		goto error;
+ 	}
++	if (compparms->qmfbid != JPC_COX_INS &&
++	    compparms->qmfbid != JPC_COX_RFT)
++		goto error;
+ 	compparms->numrlvls = compparms->numdlvls + 1;
+ 	if (compparms->numrlvls > JPC_MAXRLVLS) {
+ 		goto error;

jasper.spec

@@ -6,13 +6,13 @@
 Summary: Implementation of the JPEG-2000 standard, Part 1
 Name:    jasper
 Version: 2.0.14
-Release: 4%{?dist}
+Release: 5%{?dist}
 
 License: JasPer
 URL:     http://www.ece.uvic.ca/~frodo/jasper/
 Source0: http://www.ece.uvic.ca/~frodo/jasper/software/jasper-%{version}.tar.gz
 
-
+Patch1: jasper-2.0.14-CVE-2016-9396.patch
 # architecture related patches
 Patch100: jasper-2.0.2-test-ppc64-disable.patch
 Patch101: jasper-2.0.2-test-ppc64le-disable.patch
@@ -60,6 +60,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %prep
 %setup -q -n %{name}-%{version}
 
+%patch1 -p1 -b .CVE-2016-9396
 # Need to disable one test to be able to build it on ppc64 arch
 # At ppc64 this test just stuck (nothing happend - no exception or error)
 
@@ -134,6 +135,9 @@ popd
 
 
 %changelog
+* Wed May 30 2018 Josef Ridky <jridky@redhat.com> - 2.0.14-5
+- Fix CVE-2016-9396 (#1396986)
+
 * Thu Mar 08 2018 Josef Ridky <jridky@redhat.com> - 2.0.14-4
 - Fix gcc dependency