Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1388840 (CVE-2016-10249) - CVE-2016-10249 jasper: integer overflow in jas_matrix_create()
Summary: CVE-2016-10249 jasper: integer overflow in jas_matrix_create()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-10249
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1434442 (view as bug list)
Depends On: 1388873 1388874 1388875 1388876 1439171 1439172 1439173 1439174
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-26 09:43 UTC by Adam Mariš
Modified: 2019-09-29 13:58 UTC (History)
27 users (show)

Fixed In Version: jasper 1.900.12
Clone Of:
Environment:
Last Closed: 2017-05-09 21:43:07 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1208 0 normal SHIPPED_LIVE Important: jasper security update 2017-05-09 21:13:57 UTC

Description Adam Mariš 2016-10-26 09:43:38 UTC
Out-of-bounds heap read was found in jpc_dec_tiledecode in jpc_dec.c.

CVE request:

http://seclists.org/oss-sec/2016/q4/219

Upstream patch:

https://github.com/mdadams/jasper/commit/988f8365f7d8ad8073b6786e433d34c553ecf568

Comment 1 Adam Mariš 2016-10-26 10:52:31 UTC
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1388874]
Affects: epel-7 [bug 1388876]

Comment 2 Adam Mariš 2016-10-26 10:52:50 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1388873]
Affects: epel-5 [bug 1388875]

Comment 3 Tomas Hoger 2017-03-24 13:59:48 UTC
CVE assignment notification:

http://seclists.org/oss-sec/2017/q1/607

Comment 4 Tomas Hoger 2017-03-24 14:00:35 UTC
*** Bug 1434442 has been marked as a duplicate of this bug. ***

Comment 5 Tomas Hoger 2017-03-31 13:08:37 UTC
Original reporter's advisory:

https://blogs.gentoo.org/ago/2016/10/23/jasper-heap-based-buffer-overflow-in-jpc_dec_tiledecode-jpc_dec-c/

Relevant information from the advisory:

Another round of fuzzing on an updated version (1.900.10) a buffer over read because of an integer overflow.

The complete ASan output:

# imginfo -f $FILE
warning: not enough tile data (9 bytes)                                                                                                                                                        
=================================================================                                                                                                                              
==15870==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f0c6a964770 at pc 0x7f0c729e93a4 bp 0x7ffd08758cf0 sp 0x7ffd08758ce8                                                      
READ of size 8 at 0x7f0c6a964770 thread T0                                                                                                                                                     
    #0 0x7f0c729e93a3 in jpc_dec_tiledecode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:1126:43                                                   
    #1 0x7f0c729d9567 in jpc_dec_process_eoc /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:1170:8                                                   
    #2 0x7f0c729e20c4 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:390:10                                                        
    #3 0x7f0c729e20c4 in jpc_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:254                                                               
    #4 0x7f0c729afc41 in jp2_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_dec.c:215:21                                                            
    #5 0x7f0c7293fa29 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_image.c:392:16                                                   
    #6 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/appl/imginfo.c:188:16                                                                                 
    #7 0x7f0c71a4c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                        
    #8 0x418e68 in _init (/usr/bin/imginfo+0x418e68)                                                                                                                                           

0x7f0c6a964770 is located 0 bytes to the right of 64749424-byte region [0x7f0c66ba4800,0x7f0c6a964770)                                                                                         
allocated by thread T0 here:                                                                                                                                                                   
    #0 0x4c03b8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52                                                   
    #1 0x7f0c7297efbe in jas_malloc /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_malloc.c:105:11                                                        
    #2 0x7f0c7297efbe in jas_alloc2 /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_malloc.c:136                                                           
    #3 0x7f0c7297fb44 in jas_matrix_create /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_seq.c:129:25                                                    
    #4 0x7f0c7297f71b in jas_seq2d_create /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_seq.c:90:17                                                      
    #5 0x7f0c729d4280 in jpc_dec_tileinit /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:702:23                                                      
    #6 0x7f0c729d4280 in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:559                                                      
    #7 0x7f0c729e20c4 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:390:10                                                        
    #8 0x7f0c729e20c4 in jpc_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:254                                                               
    #9 0x7f0c729afc41 in jp2_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jp2/jp2_dec.c:215:21                                                            
    #10 0x7f0c7293fa29 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/base/jas_image.c:392:16                                                  
    #11 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/appl/imginfo.c:188:16
    #12 0x7f0c71a4c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-libs/jasper-1.900.10/work/jasper-1.900.10/src/libjasper/jpc/jpc_dec.c:1126:43 in jpc_dec_tiledecode
Shadow bytes around the buggy address:
  0x0fe20d524890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe20d5248a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe20d5248b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe20d5248c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe20d5248d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe20d5248e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa
  0x0fe20d5248f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe20d524900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe20d524910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe20d524920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe20d524930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15870==ABORTING

Affected version: 1.900.10

Fixed version: 1.900.12

Commit fix:
https://github.com/mdadams/jasper/commit/988f8365f7d8ad8073b6786e433d34c553ecf568

Credit: This bug was discovered by Agostino Sarubbo of Gentoo.

CVE: CVE-2016-10249

Reproducer:
https://github.com/asarubbo/poc/blob/master/00001-jasper-heapoverflow-jpc_dec_tiledecode

Comment 7 Tomas Hoger 2017-03-31 13:55:36 UTC
There is a potential problem in the fix linked above, reported upstream in:

https://github.com/mdadams/jasper/issues/128

Comment 9 errata-xmlrpc 2017-05-09 17:17:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208


Note You need to log in before you can comment on or make changes to this bug.