Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1314466 (CVE-2016-1577) - CVE-2016-1577 jasper: double free issue in jas_iccattrval_destroy()
Summary: CVE-2016-1577 jasper: double free issue in jas_iccattrval_destroy()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-1577
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1314468 1314469 1314470 1314471 1439171 1439172 1439173 1439174
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-03 16:57 UTC by Adam Mariš
Modified: 2019-09-29 13:45 UTC (History)
27 users (show)

Fixed In Version: jasper 1.900.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-09 21:41:28 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1208 0 normal SHIPPED_LIVE Important: jasper security update 2017-05-09 21:13:57 UTC

Description Adam Mariš 2016-03-03 16:57:46 UTC
A double free vulnerability in jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file was found.

Vulnerable code:

src/libjasper/base/jas_icc.c:
258     jas_iccprof_t *jas_iccprof_load(jas_stream_t *in)
259     {
...
294             for (i = 0; i < numtags; ++i) {
295                     tagtabent = &prof->tagtab.ents[i];
296                     if (tagtabent->off == JAS_CAST(jas_iccuint32_t, prevoff)) {
297                             if (prevattrval) {
298                                     if (!(attrval = jas_iccattrval_clone(prevattrval)))
299                                             goto error;
300                                     if (jas_iccprof_setattr(prof, tagtabent->tag, attrval))
301                                             goto error;
302                                     jas_iccattrval_destroy(attrval);
303                             } else {
304     #if 0
305                                     jas_eprintf("warning: skipping unknown tag type\n");
306     #endif
307                             }
308                             continue;
309                     }
310                     reloff = tagtabent->off - curoff;
311                     if (reloff > 0) {
312                             if (jas_stream_gobble(in, reloff) != reloff)
313                                     goto error;
314                             curoff += reloff;
315                     } else if (reloff < 0) {
316                             /* This should never happen since we read the tagged
317                             element data in a single pass. */
318                             abort();
319                     }
320                     prevoff = curoff;
321                     if (jas_iccgetuint32(in, &type)) {
322                             goto error;
323                     }
324                     if (jas_stream_gobble(in, 4) != 4) {
325                             goto error;
326                     }
327                     curoff += 8;
328                     if (!(attrvalinfo = jas_iccattrvalinfo_lookup(type))) {
329     #if 0
330                             jas_eprintf("warning: skipping unknown tag type\n");
331     #endif
332                             prevattrval = 0;
333                             continue;
334                     }
335                     if (!(attrval = jas_iccattrval_create(type))) {
336                             goto error;
337                     }
...
353     error:
354             if (prof)
355                     jas_iccprof_destroy(prof);
356             if (attrval)
357                     jas_iccattrval_destroy(attrval);
358             return 0;
359     }

attrval variable is assigned on line 298 and freed with the call to jas_iccattrval_destroy() on line 302. If the tests on lines 312, 321, or 324 are true, the same pointer will be passed a second time to jas_iccattrval_destroy() on line 357.

Proposed patch:

http://seclists.org/oss-sec/2016/q1/att-507/CVE-2016-1577.patch

Public via:

http://seclists.org/oss-sec/2016/q1/507

Comment 1 Adam Mariš 2016-03-03 16:59:08 UTC
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1314469]
Affects: epel-7 [bug 1314471]

Comment 2 Adam Mariš 2016-03-03 16:59:22 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1314468]
Affects: epel-5 [bug 1314470]

Comment 3 Fedora Update System 2016-08-15 21:21:05 UTC
jasper-1.900.1-33.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2016-09-09 21:51:13 UTC
jasper-1.900.1-33.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Tomas Hoger 2016-11-23 21:28:39 UTC
The original Ubuntu bug report:

https://bugs.launchpad.net/ubuntu/+source/jasper/+bug/1547865


Upstream commit, applied in version 1.900.2:

https://github.com/mdadams/jasper/commit/74ea22a7a4fe186e0a0124df25e19739b77c4a29

Comment 8 errata-xmlrpc 2017-05-09 17:16:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208


Note You need to log in before you can comment on or make changes to this bug.