Bugzilla – Bug 1144260
Drop jasper dependency from opencv
Last modified: 2022-01-12 14:45:32 UTC
Regarding bsc#1130404. We plan to drop libjasper from the repos. Let's remove the build dependcy on libjasper from opencv and thus disable JPEG2000 support. Upstream issues: https://github.com/opencv/opencv/issues/14145 https://github.com/opencv/opencv/issues/10453 https://github.com/opencv/opencv/issues/5849
SR#726130
SR#726173 did so far not get accepted. Copying comments here to have everything in one place. maintainer: I don't think it is a good idea to drop JPEG2000 support completely. me: Yes please comment this on https://bugzilla.suse.com/show_bug.cgi?id=1144260 which was opened quite some time ago. Like also mentioned there there are upstream issues: https://github.com/opencv/opencv/issues/14145 https://github.com/opencv/opencv/issues/10453 https://github.com/opencv/opencv/issues/5849 and jpeg2000 is not really a popular format so i dont think opencv suffers a lot when its disabled. debian, gentoo, alpine also are disabling this as we speak. debian actually did years ago. maintainer: Jpeg2000 is quite popular in the geo sciences.
@Stefan, Jasper will be removed from openSUSE repos. So it would be cool if you could accept the SR. Jasper has many security issues. Upstream is very inactive. If you don't want to loose JPEG2000 support in opencv you can either try to provide fixes for the jasper issues so it can stay or you can help opencv upstream by porting opencv to openjpeg. They have two issues open (since 2015/2018) for this: https://github.com/opencv/opencv/issues/5849 https://github.com/opencv/opencv/issues/10453
So from a security POV we're in favor of dropping jasper. Since opencv is the only package depending on it we would like to ask you to please accept the submit authored by Michael. jasper is a constant pain for us and is a risk to the users of your package. Losing jpeg2000 support is unfortunate, but the risk introduced by the usage of jasper outweighs this.
Just dropping the build dependency causes OpenCV to use its own bundled version of Jasper (1.900.1), which contains significantly more vulnerabilities as the current distro version. I have started working on OpenCV JPEG2000 support via OpenJPEG, but this will take some time.
(In reply to Stefan Brüns from comment #8) > Just dropping the build dependency causes OpenCV to use its own bundled > version of Jasper (1.900.1), which contains significantly more > vulnerabilities as the current distro version. There were several packages using jasper. They are not my packages. The bugs were created and assigned to the maintainers of the respective packages. Like this bug is assigned to you, but you chose to ignore it for months. I created the SR as a favour, but I didn't check the package deeply enough it seems. In any case I think this is the responsibility of the respective maintainer. > I have started working on OpenCV JPEG2000 support via OpenJPEG, but this > will take some time. This is good. If you start this now it's good. But it would have been even better if you could have started this when the bug report was created. Maybe OpenCV will loose JPEG2000 support in the meantime if Jasper is removed already, and can only have it back once the openjpeg solution is implemented. But let's see what will happen.
SR#766065 was accepted to the devel project.
SR#767987 got accepted to Factory.
Stefan started to an attempt to port OpenCV to openjpeg: https://github.com/StefanBruens/opencv/tree/jpeg2000_openjpeg_port See https://github.com/opencv/opencv/issues/5849#issuecomment-579951522
Stefans work was merged today: https://github.com/opencv/opencv/pull/16494