internal jasper should be patched for CVE-2007-2721

Thanks for the heads-up! We will prepare updates. Is there a reason that ghostscript doesn't link against the system libjasper instead?

I have simply taken the Ghostscript as it comes from upstream.

Ralph, can you tell what is changed in the libjasper which comes with Ghostscript and whether one could perhaps come to an agreement with libjasper upstream to make it possible for Ghostscript to use the system's libjasper?

Dapper is not affected: jasper was not included in the code.

Thanks for the prompt response!

There are two main issues: One is a patch for handling broken streams produced by certain popular authoring software. Upstream rejected the patch because it increases memory footprint (a "you can free this" tag is incorrect in these files). A combination of not-my-problem and the usual tension between a reference implementation and liberal acceptance for applications. The jpeg2k implementation in libpoppler works around such files in the same way.

Analysis and patch here: http://bugs.ghostscript.com/show_bug.cgi?id=687416

The second is a patch to add support for returning raw palette data, which is required by the PDF spec. I haven't tried getting this one upstream.

Since then our fork has diverged a bit more (error reporting through a callback instead of printf() and assert() and some optimizations, both of which are most important on Windows) but the API difference can be ifdef'd around. So lInking with the system libjasper could be done at the expense of handling these files. Or you could apply our patches to your libjasper. The two specific ones mentioned above are ABI compatible.

I hope to try again for upstream inclusion when I get a chance to merge our changes into the 1.900.1 release.

http://www.ubuntu.com/usn/usn-501-2

Fix in 8.61.dfsg.1~svn8187-1.1