[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Just read the conclusions if you don't have much time.
This is the result of me looking for CVEs in file format libraries and
trying to apply fixes. I couldn't find any fixes for graphics/jasper.
# Brief introduction to jasper
- It's library that implements JPEG 2000 support (.jp2 file format)
- it was just updated by me to 2.0.16.
- the last release was a few years ago
- this release wasn't uploaded properly, only tagged
- the only change was to fix 1/26 CVEs that effect 2.0.14
Conclusion: jasper implements a lesser-used image format, and its
maintainance state is very poor. From a security perspective, it's
# Status of third-party projects:
- Some programs (like GIMP) have transitioned to OpenJPEG.
Also implements JPEG 2000, but more completely, according to
Wikipedia. Also, maintained better.
- Others (like opencv) maintain jasper as an optional dependency.
- Projects like Debian, Gentoo, and OpenSUSE are removing JPEG 2000
support from packages to avoid jasper.
By doing this, Debian has removed the jasper package completely.
Conclusion: jasper is going away.
# List of packages that use jasper in pkgsrc:
- graphics/GraphicsMagick - jasper is in PKG_SUGGESTED_OPTIONS
- graphics/dcraw - EOL, replacement is apparently libraw
- devel/devIL - non-optional, would probably need to be patched out
- geography/gdal-lib - can be switched to OpenJPEG
- graphics/gdk-pixbuf2-jasper - module, should be fine to keep...?
- graphics/gegl - optional, could be turned off
- x11/kdelibs4 - EOL
- multimedia/kodi - Broken, unmaintained
- graphics/libraw - optional, could be turned off
apparently jasper is only used for RedCine files
- graphics/netpbm - ... not optional? difficult to tell
- graphics/opencv - optional, could be turned off
- graphics/opencv2 - optional, could be turned off
- x11/qt5-qtimageformats - optional, could be turned off
Conclusion: we could mostly get rid of jasper if we wanted to.
Main Index |
Thread Index |