Package name: libjasper Version: 2.0.12 Upstream: Michael David Adams License: JasPer License Description: This package has been scheduled for removal after Stretch release but is very important to me as it can be used to add JPEG 2000 to OpenCV (many satellite images comes as JPEG 2000). The new upstream on GitHub provides frequent updates as well as a decent CMake build system so I see no reason to not get it back in the archive :) In the meanwhile, I made my own package to rebuild OpenCV and it's available here: https://cloud.le-vert.net/index.php/s/2Ci3X1ARrZiONK4 I could easily finish the package to get it in a perfect state but are no DM and got no sponsor so if someone is interrested in uploading the package for me, just drop me a mail and I'll make a proper release. Best regards, Adam.
Hi, At the very least you'll need to address the old CVEs in that case: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=jasper - CVE-2016-8693 - CVE-2016-8691 - CVE-2016-8692 - CVE-2016-8690 I personally fought against having duplicate JPEG 2000 libraries in Debian (esp. since jasper seems dead upstream). I still believe you should invest some time in replace jasper with OpenJPEG throughout your OpenCV codebase, since OpenJPEG is used to manipulate satellite image in professional environment. 2cts -M
Hi, Thanks for the feedback. I think the CVEs have been addressed upstream but ofc, it has to be verified first. Btw, I'not involved at all in OpenCV so sadly, my biggest concern is to have a working python3 OpenCV package... Regards, Adam.
Control:retitle -1 ITP: libjasper -- JasPer JPEG-2000 runtime library
Hi,
I finished the updated package and reviewed all the CVEs patches that were included.
Everything is documented in the changelog and there's only one patch not merged yet but I pull-requested it on GitHub.
I guess it's sadly way too late to get it back for Stretch, but anyway, that would be great to have it in unstable.
Again, it enables JPEG2000 support on OpenCV and that's something Debian cannot miss.
Package available here: https://mentors.debian.net/package/jasper
Changelog:
* Re-introduce package into archive using different upstream
(Closes: #862727).
* Review all patches:
- 01-misc-fixes dropped (merged, obsolete),
- 02-fix-filename-buffer-overflow updated (forwarded),
- 03-CVE-2011-4516-and-CVE-2011-4517 dropped
merged upstream as 0d22460816ea58e74a124158fa6cc48efb709a47
- 04-CVE-2014-9029 dropped
merged upstream as 5dbe57e4808bea4b83a97e2f4aaf8c91ab6fdecb
- 05-CVE-2014-8137 dropped
merged upstream as 4bb93a6c49da7c1b6ad2acb60b18954a6547c637
- 06-CVE-2014-8138 dropped
merged upstream as c54113d6fa49f8f26d1572e972b806276c5b05d5
- 07-CVE-2014-8157 dropped
merged upstream as 3fd4067496d8ef70f11841d7492ddeb1f1d56915
- 08-CVE-2014-8158 dropped
merged upstream as 0d64bde2b3ba7e1450710d540136a8ce4199ef30
- 09-CVE-2016-1577 dropped
(merged upstream as 74ea22a7a4fe186e0a0124df25e19739b77c4a29
- 10-CVE-2016-2089 dropped
merged upstream as c87ad330a8b8d6e5eb0065675601fdfae08ebaab
- 11-CVE-2016-2116 dropped
merged upstream as 142245b9bbb33274a7c620aa7a8f85bc00b2d68e
- 12_CVE-2016-1867_CVE-2016-8654_CVE-2016-8691... dropped:
merged upstream as:
* 3c55b399c36ef46befcb21e4ebc4799367f89684
* d8c2604cd438c41ec72aff52c16ebd8183068020
* 1abc2e5a401a4bf1d5ca4df91358ce5df111f495
* 69a1439a5381e42b06ec6a06ed2675eb793babee
* 4a59cfaf9ab3d48fca4a15c0d2674bf7138e3d1a
* 980da43d8d388a67cac505e734423b2a5aa4cede
- 14_CVE-2016-10249 dropped:
merged upstream as:
* f596a0766825b48cdc07b28d2051977a382cfb95
* 988f8365f7d8ad8073b6786e433d34c553ecf568
- 15_CVE-2016-10251.patch dropped
merged upstream as 1f0dfe5a42911b6880a1445f13f6d615ddb55387)
* New upstream release:
- Upstream now use CMake (change b-deps, change rules),
- Enable --parallel when building,
- Remove static library, not built anymore,
- Add doxygen b-dep to generate doc,
- Install HTML documentation in libjasper-doc package,
- Bump library package name to libjasper4,
- Raise JAS_DEC_DEFAULT_MAX_SAMPLES value (max file size),
- Rewrite copyright to machine-readable format,
- Rewrite watch to be able to use mk-origtargz.
Lintian all clear...
Thanks in advance for your support,
Regards, Adam.
Control: retitle -1 ITP: jasper -- JasPer JPEG-2000 runtime library WNPP is for coordinating who pacakges what, not for requesting spnsorship. Please submit a separate bug against the sponsorship-requests pseudo-package for your RFS. Thanks Adrian
This is not a one-off upload, jasper causes a significant
security maintenance overhead. Please only sponsor/upload that if
you're also fully available to adress stable-security.
If you're proceeding with this in unstable, then I also
expect you to deal with src:jasper in jessie from this
point forward.
We should rather stick with one implementation, namely
openjpeg2. Why don't you port opencv instead?
Cheers,
Moritz
Hi all, sending everyone that discussed on the bug an email. Since version 2.0.19 (2020-07-11) libjasper is now reasonably active maintained and CVEs have been dealt with. For support in some KDE/Plasma packages I have revived/made some packaging of the current version (2.0.33, from 2021-08-01). Adam, are you still interested in getting this back into Debian? Any other comment? BTW, my source package are built on OBS: https://build.opensuse.org/package/show/home:npreining:debian-kde:other-deps/jasper All the best Norbert
Hi all, switched from jasper to openjpeg was mainly because of: * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681234 I do not know if this has been fixed upstream since. In any case: imagemagick, poppler and gdcm have all switched to openjpeg 2.x ABI (see usertag: stretch2000). I believe chrome is also using openjpeg for the PDF support. I see that opencv has support for openjpeg: * https://github.com/opencv/opencv/blob/master/modules/imgcodecs/src/grfmt_jpeg2000_openjpeg.cpp Technically opencv is built against gdcm, so openjpeg is already a dependency of opencv in Debian. Things may have changed a bit, but I believe openjpeg supports decoding by tile (I believe jasper required the entire image in memory). I do not mind having another jpeg 2000 implementation in Debian, but keep in mind that those low level imaging libraries have all sort of potential CVEs attached to them. Would be nice to include the KDE rationale for picking jasper over openjpeg, maybe there is a particular feature that is missing, that may convince debian-security team to help with maintenance. 2cts -M
Hi Agreed. Good question ... maybe I bug them about switching to openjpeg ... but not sure what will be the outcome. Best Norbert
Hi ACtually not KDE, but Qt ... (forgot about it). It is in src:qtimageformats-opensource-src where the support is contained, and it only supports jasper. And all the KDE programs depend on that ... Best Norbert