Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1173157 (CVE-2014-8137) - CVE-2014-8137 jasper: double-free in in jas_iccattrval_destroy() (oCERT-2014-012)
Summary: CVE-2014-8137 jasper: double-free in in jas_iccattrval_destroy() (oCERT-2014-...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-8137
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1173566 1173567 1173568 1173569 1175761 1175762 1175763 1175764 1185248 1185249 1188086
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-11 14:54 UTC by Tomas Hoger
Modified: 2023-05-12 06:54 UTC (History)
19 users (show)

Fixed In Version: jasper 1.900.3
Doc Type: Bug Fix
Doc Text:
A double free flaw was found in the way JasPer parsed ICC color profiles in JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2015-03-18 13:25:16 UTC
Embargoed:

Attachments (Terms of Use)
Possible patch - variant 1 (deleted)
2014-12-11 15:23 UTC, Tomas Hoger 		no flags Details | Diff
Possible patch - variant 2 (deleted)
2014-12-11 15:28 UTC, Tomas Hoger 		no flags Details | Diff
Additional fix to avoid assert() abort (deleted)
2014-12-11 15:31 UTC, Tomas Hoger 		no flags Details | Diff
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
Novell 909474 0 None None None Never
Red Hat Product Errata RHSA-2014:2021 0 normal SHIPPED_LIVE Important: jasper security update 2014-12-18 23:31:00 UTC
Red Hat Product Errata RHSA-2015:0698 0 normal SHIPPED_LIVE Important: rhevm-spice-client security, bug fix, and enhancement update 2015-03-18 16:11:47 UTC
Red Hat Product Errata RHSA-2015:1713 0 normal SHIPPED_LIVE Important: rhev-hypervisor security, bug fix, and enhancement update 2015-09-03 21:08:30 UTC

Description Tomas Hoger 2014-12-11 14:54:47 UTC 
oCERT reports a double-free issue in jas_iccattrval_destroy() in jasper:

  In jas_icctxt_input() if there's an error, there's a call to
  jas_free(txt->string) which is freeing attrval->data.txt, but later on
  jas_iccattrval_destroy it tries to call free on it again.

Acknowledgements:

Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Jose Duart of the Google Security Team as the original reporter.
Comment 2 Tomas Hoger 2014-12-11 15:23:30 UTC 
Created attachment 967282 [details]
Possible patch - variant 1

This uses somewhat conservative approach.  It changes iccattrvalinfo destroy ops functions to set variables to NULL after free(), so even if called repeatedly, double-free is avoided.  It also changes jas_icctxt_input() to call jas_icctxt_destroy() on error, rather than performing memory freeing directly.
Comment 3 Tomas Hoger 2014-12-11 15:28:12 UTC 
Created attachment 967283 [details]
Possible patch - variant 2

This removes jas_icc*_destroy() calls from error code paths in iccattrvalinfo input ops functions (jas_icc*_input()).  This should not introduce any memory leak, as input ops functions only seem to be called from jas_iccprof_load(), and if they return error, jas_iccattrval_destroy() gets called, which leads to destroy op call.

        if ((*attrval->ops->input)(attrval, in, len)) {
            goto error;
        }

  ...

error:
  ...
    if (attrval)
        jas_iccattrval_destroy(attrval);
Comment 4 Tomas Hoger 2014-12-11 15:31:03 UTC 
Created attachment 967284 [details]
Additional fix to avoid assert() abort

If one of the above patches is applied, assert(iccprof) is triggered in jp2_decode(), aborting application using jasper.  This fix makes jasper fail more gracefully.
Comment 5 Jiri Popelka 2014-12-11 17:17:53 UTC 
All patches look good to me. I have no problem with the 'not so conservative' patch (variant 2). It doesn't seem to cause any leaks.
Comment 6 Tomas Hoger 2014-12-11 19:57:39 UTC 
Ack, thank you for review.  I also view the second variant as preferred.
Comment 9 Tomas Hoger 2014-12-18 14:15:24 UTC 
Public now via oCERT-2014-012 advisory.

External References:

http://www.ocert.org/advisories/ocert-2014-012.html
Comment 10 Tomas Hoger 2014-12-18 14:18:42 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1175762]
Affects: epel-7 [bug 1175764]
Comment 11 Tomas Hoger 2014-12-18 14:18:44 UTC 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1175761]
Affects: epel-5 [bug 1175763]
Comment 13 errata-xmlrpc 2014-12-18 18:31:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2014:2021 https://rhn.redhat.com/errata/RHSA-2014-2021.html
Comment 14 Fedora Update System 2014-12-29 09:55:01 UTC 
mingw-jasper-1.900.1-25.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2014-12-29 09:55:15 UTC 
mingw-jasper-1.900.1-25.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2014-12-29 10:01:49 UTC 
mingw-jasper-1.900.1-25.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2015-01-03 00:13:19 UTC 
mingw-jasper-1.900.1-25.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2015-01-06 06:04:35 UTC 
jasper-1.900.1-27.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2015-01-06 06:07:15 UTC 
jasper-1.900.1-26.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2015-01-06 06:10:27 UTC 
jasper-1.900.1-29.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 errata-xmlrpc 2015-03-18 12:12:40 UTC 
This issue has been addressed in the following products:

  RHEV Manager version 3.5

Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html
Comment 24 Fedora Update System 2015-05-11 00:53:14 UTC 
jasper-1.900.1-15.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 errata-xmlrpc 2015-09-03 17:08:49 UTC 
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-6
  RHEV-H and Agents for RHEL-7

Via RHSA-2015:1713 https://rhn.redhat.com/errata/RHSA-2015-1713.html
Comment 26 Tomas Hoger 2016-11-23 22:55:54 UTC 
Fixed upstream in version 1.900.3:

https://github.com/mdadams/jasper/commit/4bb93a6c49da7c1b6ad2acb60b18954a6547c637
Note You need to log in before you can comment on or make changes to this bug.