Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1173157 (CVE-2014-8137)
Summary: | CVE-2014-8137 jasper: double-free in in jas_iccattrval_destroy() (oCERT-2014-012) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||||
Severity: | low | Docs Contact: | |||||||||
Priority: | low | ||||||||||
Version: | unspecified | CC: | acathrow, alonbl, bazulay, bmcclain, carnil, cfergeau, dblechte, ecohen, gklein, idith, iheim, jpopelka, lsurette, michal.skrivanek, phracek, rbalakri, rh-spice-bugs, security-response-team, yeylon | ||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | jasper 1.900.3 | Doc Type: | Bug Fix | ||||||||
Doc Text: |
A double free flaw was found in the way JasPer parsed ICC color profiles in JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
|
Story Points: | --- | ||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2015-03-18 13:25:16 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | 1173566, 1173567, 1173568, 1173569, 1175761, 1175762, 1175763, 1175764, 1185248, 1185249, 1188086 | ||||||||||
Bug Blocks: | |||||||||||
Attachments: |
|
Description
Tomas Hoger
2014-12-11 14:54:47 UTC
Created attachment 967282 [details]
Possible patch - variant 1
This uses somewhat conservative approach. It changes iccattrvalinfo destroy ops functions to set variables to NULL after free(), so even if called repeatedly, double-free is avoided. It also changes jas_icctxt_input() to call jas_icctxt_destroy() on error, rather than performing memory freeing directly.
Created attachment 967283 [details]
Possible patch - variant 2
This removes jas_icc*_destroy() calls from error code paths in iccattrvalinfo input ops functions (jas_icc*_input()). This should not introduce any memory leak, as input ops functions only seem to be called from jas_iccprof_load(), and if they return error, jas_iccattrval_destroy() gets called, which leads to destroy op call.
if ((*attrval->ops->input)(attrval, in, len)) {
goto error;
}
...
error:
...
if (attrval)
jas_iccattrval_destroy(attrval);
Created attachment 967284 [details]
Additional fix to avoid assert() abort
If one of the above patches is applied, assert(iccprof) is triggered in jp2_decode(), aborting application using jasper. This fix makes jasper fail more gracefully.
All patches look good to me. I have no problem with the 'not so conservative' patch (variant 2). It doesn't seem to cause any leaks. Ack, thank you for review. I also view the second variant as preferred. Public now via oCERT-2014-012 advisory. External References: http://www.ocert.org/advisories/ocert-2014-012.html Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1175762] Affects: epel-7 [bug 1175764] Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1175761] Affects: epel-5 [bug 1175763] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2014:2021 https://rhn.redhat.com/errata/RHSA-2014-2021.html mingw-jasper-1.900.1-25.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. mingw-jasper-1.900.1-25.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. mingw-jasper-1.900.1-25.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. mingw-jasper-1.900.1-25.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. jasper-1.900.1-27.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. jasper-1.900.1-26.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. jasper-1.900.1-29.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: RHEV Manager version 3.5 Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html jasper-1.900.1-15.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: RHEV-H and Agents for RHEL-6 RHEV-H and Agents for RHEL-7 Via RHSA-2015:1713 https://rhn.redhat.com/errata/RHSA-2015-1713.html Fixed upstream in version 1.900.3: https://github.com/mdadams/jasper/commit/4bb93a6c49da7c1b6ad2acb60b18954a6547c637 |