Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1173162 (CVE-2014-8138) - CVE-2014-8138 jasper: heap overflow in jp2_decode() (oCERT-2014-012)
Summary: CVE-2014-8138 jasper: heap overflow in jp2_decode() (oCERT-2014-012)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-8138
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1173566 1173567 1173568 1173569 1175761 1175762 1175763 1175764 1185246 1185247 1188087
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-11 15:02 UTC by Tomas Hoger
Modified: 2023-05-12 06:55 UTC (History)
19 users (show)

Fixed In Version: jasper 1.900.2
Doc Type: Bug Fix
Doc Text:
A heap-based buffer overflow flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2015-03-18 13:25:07 UTC
Embargoed:


Attachments (Terms of Use)
Proposed patch (deleted)
2014-12-11 15:17 UTC, Tomas Hoger
jpopelka: review+
Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Novell 909475 0 None None None Never
Red Hat Product Errata RHSA-2014:2021 0 normal SHIPPED_LIVE Important: jasper security update 2014-12-18 23:31:00 UTC
Red Hat Product Errata RHSA-2015:0698 0 normal SHIPPED_LIVE Important: rhevm-spice-client security, bug fix, and enhancement update 2015-03-18 16:11:47 UTC
Red Hat Product Errata RHSA-2015:1713 0 normal SHIPPED_LIVE Important: rhev-hypervisor security, bug fix, and enhancement update 2015-09-03 21:08:30 UTC

Description Tomas Hoger 2014-12-11 15:02:27 UTC
oCERT reports a heap-overflow issue in jp2_decode() in jasper:

  This code in jas_decode doesn't check for an upper bound on the value of
  channo:

	jas_image_setcmpttype(dec->image,
	  dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
	  jp2_getct(jas_image_clrspc(dec->image),
	  dec->cdef->data.cdef.ents[i].type, dec->cdef->data.cdef.ents[i].assoc));
  
  This could be used via jas_image_setcmpttype (actually this is just
  image->cmpts_[cmptno]->type_ = type), to do an arbitrary write since
  there's no bound check there either.

Acknowledgements:

Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Jose Duart of the Google Security Team as the original reporter.

Comment 2 Tomas Hoger 2014-12-11 15:17:56 UTC
Created attachment 967280 [details]
Proposed patch

This adds channo check directly to jp2_decode().  An alternative would be to do check earlier in jp2_cdef_getdata().  However, as jp2_decode() does other similar sanity checks, it seems more consistent to add the check there as well.

Comment 3 Jiri Popelka 2014-12-11 16:09:16 UTC
Comment on attachment 967280 [details]
Proposed patch

Patch looks good to me.

Comment 7 Tomas Hoger 2014-12-18 14:16:11 UTC
Public now via oCERT-2014-012 advisory.

External References:

http://www.ocert.org/advisories/ocert-2014-012.html

Comment 8 Tomas Hoger 2014-12-18 14:17:44 UTC
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1175762]
Affects: epel-7 [bug 1175764]

Comment 9 Tomas Hoger 2014-12-18 14:17:48 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1175761]
Affects: epel-5 [bug 1175763]

Comment 11 errata-xmlrpc 2014-12-18 18:31:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2014:2021 https://rhn.redhat.com/errata/RHSA-2014-2021.html

Comment 12 Fedora Update System 2014-12-29 09:55:05 UTC
mingw-jasper-1.900.1-25.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2014-12-29 09:55:17 UTC
mingw-jasper-1.900.1-25.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2014-12-29 10:01:52 UTC
mingw-jasper-1.900.1-25.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2015-01-03 00:13:16 UTC
mingw-jasper-1.900.1-25.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2015-01-06 06:04:39 UTC
jasper-1.900.1-27.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2015-01-06 06:07:18 UTC
jasper-1.900.1-26.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2015-01-06 06:10:30 UTC
jasper-1.900.1-29.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 errata-xmlrpc 2015-03-18 12:12:43 UTC
This issue has been addressed in the following products:

  RHEV Manager version 3.5

Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html

Comment 22 Fedora Update System 2015-05-11 00:52:30 UTC
jasper-1.900.1-15.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 errata-xmlrpc 2015-09-03 17:08:54 UTC
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-6
  RHEV-H and Agents for RHEL-7

Via RHSA-2015:1713 https://rhn.redhat.com/errata/RHSA-2015-1713.html

Comment 24 Tomas Hoger 2016-11-23 21:43:46 UTC
Fix was integrated upstream in version 1.900.2:

https://github.com/mdadams/jasper/commit/c54113d6fa49f8f26d1572e972b806276c5b05d5


Note You need to log in before you can comment on or make changes to this bug.