Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1173157 (CVE-2014-8137)

Summary: CVE-2014-8137 jasper: double-free in in jas_iccattrval_destroy() (oCERT-2014-012)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acathrow, alonbl, bazulay, bmcclain, carnil, cfergeau, dblechte, ecohen, gklein, idith, iheim, jpopelka, lsurette, michal.skrivanek, phracek, rbalakri, rh-spice-bugs, security-response-team, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jasper 1.900.3 Doc Type: Bug Fix
Doc Text:
A double free flaw was found in the way JasPer parsed ICC color profiles in JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-18 13:25:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1173566, 1173567, 1173568, 1173569, 1175761, 1175762, 1175763, 1175764, 1185248, 1185249, 1188086    
Bug Blocks:    
Attachments:
Description Flags
Possible patch - variant 1
none
Possible patch - variant 2
none
Additional fix to avoid assert() abort none

Description Tomas Hoger 2014-12-11 14:54:47 UTC
oCERT reports a double-free issue in jas_iccattrval_destroy() in jasper:

  In jas_icctxt_input() if there's an error, there's a call to
  jas_free(txt->string) which is freeing attrval->data.txt, but later on
  jas_iccattrval_destroy it tries to call free on it again.

Acknowledgements:

Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Jose Duart of the Google Security Team as the original reporter.

Comment 2 Tomas Hoger 2014-12-11 15:23:30 UTC
Created attachment 967282 [details]
Possible patch - variant 1

This uses somewhat conservative approach.  It changes iccattrvalinfo destroy ops functions to set variables to NULL after free(), so even if called repeatedly, double-free is avoided.  It also changes jas_icctxt_input() to call jas_icctxt_destroy() on error, rather than performing memory freeing directly.

Comment 3 Tomas Hoger 2014-12-11 15:28:12 UTC
Created attachment 967283 [details]
Possible patch - variant 2

This removes jas_icc*_destroy() calls from error code paths in iccattrvalinfo input ops functions (jas_icc*_input()).  This should not introduce any memory leak, as input ops functions only seem to be called from jas_iccprof_load(), and if they return error, jas_iccattrval_destroy() gets called, which leads to destroy op call.

        if ((*attrval->ops->input)(attrval, in, len)) {
            goto error;
        }

  ...

error:
  ...
    if (attrval)
        jas_iccattrval_destroy(attrval);

Comment 4 Tomas Hoger 2014-12-11 15:31:03 UTC
Created attachment 967284 [details]
Additional fix to avoid assert() abort

If one of the above patches is applied, assert(iccprof) is triggered in jp2_decode(), aborting application using jasper.  This fix makes jasper fail more gracefully.

Comment 5 Jiri Popelka 2014-12-11 17:17:53 UTC
All patches look good to me. I have no problem with the 'not so conservative' patch (variant 2). It doesn't seem to cause any leaks.

Comment 6 Tomas Hoger 2014-12-11 19:57:39 UTC
Ack, thank you for review.  I also view the second variant as preferred.

Comment 9 Tomas Hoger 2014-12-18 14:15:24 UTC
Public now via oCERT-2014-012 advisory.

External References:

http://www.ocert.org/advisories/ocert-2014-012.html

Comment 10 Tomas Hoger 2014-12-18 14:18:42 UTC
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1175762]
Affects: epel-7 [bug 1175764]

Comment 11 Tomas Hoger 2014-12-18 14:18:44 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1175761]
Affects: epel-5 [bug 1175763]

Comment 13 errata-xmlrpc 2014-12-18 18:31:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2014:2021 https://rhn.redhat.com/errata/RHSA-2014-2021.html

Comment 14 Fedora Update System 2014-12-29 09:55:01 UTC
mingw-jasper-1.900.1-25.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2014-12-29 09:55:15 UTC
mingw-jasper-1.900.1-25.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2014-12-29 10:01:49 UTC
mingw-jasper-1.900.1-25.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2015-01-03 00:13:19 UTC
mingw-jasper-1.900.1-25.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2015-01-06 06:04:35 UTC
jasper-1.900.1-27.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2015-01-06 06:07:15 UTC
jasper-1.900.1-26.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2015-01-06 06:10:27 UTC
jasper-1.900.1-29.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 errata-xmlrpc 2015-03-18 12:12:40 UTC
This issue has been addressed in the following products:

  RHEV Manager version 3.5

Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html

Comment 24 Fedora Update System 2015-05-11 00:53:14 UTC
jasper-1.900.1-15.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 errata-xmlrpc 2015-09-03 17:08:49 UTC
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-6
  RHEV-H and Agents for RHEL-7

Via RHSA-2015:1713 https://rhn.redhat.com/errata/RHSA-2015-1713.html

Comment 26 Tomas Hoger 2016-11-23 22:55:54 UTC
Fixed upstream in version 1.900.3:

https://github.com/mdadams/jasper/commit/4bb93a6c49da7c1b6ad2acb60b18954a6547c637