Status of CVE "CVE-2021-27845"

Hi Team,

Could you please let us know the status of mentioned CVE “CVE-2021-27845”

Does it impact Package “jasper-2.0.14-5.el8.x86_64.rpm”

Regards,
Neha Juneja

For some reason Red Hat has no entry for CVE-2021-27845. One should ask Red Hat why they don’t.

Furthermore, AlmaLinux 8 has only jasper-libs but no jasper.
Looks like jasper is not “included in” el8, unlike el7 and el9 that do have it.

There is jasper in AlmaLinux 8 Devel, but AlmaLinux Repositories | AlmaLinux Wiki says:

Content in the Devel repo includes packages that are not normally provided in the base nor extra repositories, but needed for build-time dependencies of other packages. Devel is NOT meant to satisfy runtime dependencies or for long term use on general purpose machines.

CVE in package that is supposedly not in use nor mentioned by Red Hat isn’t on the top of todo list, is it? Then again, the jasper-libs is clearly in el8, so the CVE could perhaps apply.

Look, here’s the source for AlmaLinux 8’s version of jasper:

The patch for CVE-2021-27845 looks like this and is not included:

  1. Is that mean, CVE “CVE-2021-27845” is not fixed in Alma for jasper-libs?
  2. If not, When you are planning to fix it?

That’s something you could ask Red Hat, the package was taken as is from their sources. I don’t know when or if this is fixed. You could patch it yourself to be on the safe side.

1 Like

I have created an issue at the Red Hat bug tracker:
https://issues.redhat.com/browse/RHEL-25160

3 Likes

Given that it’s a 5.5-Medium score, it won’t likely be a high priority for Red Hat to patch unless customers tell them that they are specifically impacted by it. That doesn’t mean someone from the AlmaLinux community can’t still submit a patch to it here and upstream via CentOS Stream.

1 Like