Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1167537 (CVE-2014-9029) - CVE-2014-9029 jasper: incorrect component number check in COC, RGN and QCC marker segment decoders (oCERT-2014-009)
Summary: CVE-2014-9029 jasper: incorrect component number check in COC, RGN and QCC ma...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-9029
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1170650 1170652 1170654 1170655 1171207 1171208 1171209 1171210 1171211 1171212 1171213 1171214
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-25 02:57 UTC by Murray McAllister
Modified: 2023-05-12 06:05 UTC (History)
28 users (show)

Fixed In Version: jasper 1.900.2
Doc Type: Bug Fix
Doc Text:
Multiple off-by-one flaws, leading to heap-based buffer overflows, were found in the way JasPer decoded JPEG 2000 files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2015-03-18 13:25:12 UTC
Embargoed:

Attachments (Terms of Use)
Proposed patch (deleted)
2014-11-27 11:55 UTC, Tomas Hoger 		jpopelka: review+
Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:2021 0 normal SHIPPED_LIVE Important: jasper security update 2014-12-18 23:31:00 UTC
Red Hat Product Errata RHSA-2015:0698 0 normal SHIPPED_LIVE Important: rhevm-spice-client security, bug fix, and enhancement update 2015-03-18 16:11:47 UTC

Description Murray McAllister 2014-11-25 02:57:55 UTC 
A heap-based buffer overflow flaw was reported in JasPer's jpc_dec_cp_setfromcox() and jpc_dec_cp_setfromrgn() functions. Processing a specially-crafted image with an application that uses JasPer could cause the application to crash or, potentially, execute arbitrary code.

Acknowledgements:

Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Jose Duart of the Google Security Team as the original reporter.
Comment 2 Tomas Hoger 2014-11-27 11:55:20 UTC 
Created attachment 961994 [details]
Proposed patch

This seems to be an off-by-one issue in jpc_dec_process_coc and jpc_dec_process_rgn.  There are an existing checks to ensure if coc->compno / rgn->compno is not more than dec->numcomps.  The reason is that compno is later used as index to jpc_dec_cp_t's ccps[] array, which is allocated to have numcomps entries.  However, compno == numcomps is already out of allocated bounds, and the checks should be adjusted to error out when compno >= numcomps, rather than when compno > numcomps.

There is similar issue in jpc_dec_process_qcc which is also corrected by this patch.
Comment 4 Jiri Popelka 2014-11-27 13:23:03 UTC 
Comment on attachment 961994 [details]
Proposed patch

Patch looks good to me. Thanks Tomas !
Comment 6 Tomas Hoger 2014-12-04 14:36:57 UTC 
Public now via oCERT-2014-009 advisory.

External References:

http://www.ocert.org/advisories/ocert-2014-009.html
Comment 7 Tomas Hoger 2014-12-04 14:39:01 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1170652]
Affects: epel-7 [bug 1170655]
Comment 8 Tomas Hoger 2014-12-04 14:39:06 UTC 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1170650]
Affects: epel-5 [bug 1170654]
Comment 12 Martin Prpič 2014-12-09 08:40:15 UTC 
IssueDescription:

Multiple off-by-one flaws, leading to heap-based buffer overflows, were found in the way JasPer decoded JPEG 2000 files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
Comment 13 errata-xmlrpc 2014-12-18 18:31:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2014:2021 https://rhn.redhat.com/errata/RHSA-2014-2021.html
Comment 15 Fedora Update System 2015-01-06 06:04:32 UTC 
jasper-1.900.1-27.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2015-01-06 06:07:12 UTC 
jasper-1.900.1-26.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2015-01-06 06:10:23 UTC 
jasper-1.900.1-29.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 errata-xmlrpc 2015-03-18 12:12:30 UTC 
This issue has been addressed in the following products:

  RHEV Manager version 3.5

Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html
Comment 19 Fedora Update System 2015-05-11 00:52:56 UTC 
jasper-1.900.1-15.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Tomas Hoger 2016-11-23 22:26:06 UTC 
Fix was integrated upstream in version 1.900.2:

https://github.com/mdadams/jasper/commit/5dbe57e4808bea4b83a97e2f4aaf8c91ab6fdecb
Note You need to log in before you can comment on or make changes to this bug.