Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 461478 (CVE-2008-3522) - CVE-2008-3522 jasper: possible buffer overflow in jas_stream_printf()
Summary: CVE-2008-3522 jasper: possible buffer overflow in jas_stream_printf()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-3522
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 530305
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-08 13:30 UTC by Tomas Hoger
Modified: 2019-09-29 12:26 UTC (History)
2 users (show)

Fixed In Version: jasper 1.900.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-28 10:59:30 UTC
Embargoed:


Attachments (Terms of Use)
OpenBSD patch (deleted)
2008-09-08 13:35 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0698 0 normal SHIPPED_LIVE Important: rhevm-spice-client security, bug fix, and enhancement update 2015-03-18 16:11:47 UTC

Description Tomas Hoger 2008-09-08 13:30:10 UTC
Marc Espie and Christian Weisgerber of the OpenBSD project reported that jas_stream_printf() function used by jasper uses vsprintf() internally to print data to a fixed-size buffer.  This can result in a buffer overflow in cases where jas_stream_printf() may be called with untrusted user-supplied data.

OpenBSD jasper library patches:
http://www.openbsd.org/cgi-bin/cvsweb/ports/graphics/jasper/patches/

Comment 1 Tomas Hoger 2008-09-08 13:35:47 UTC
Created attachment 316079 [details]
OpenBSD patch

Comment 2 Tomas Hoger 2008-09-08 13:53:20 UTC
netpbm contains an embedded copy of the jasper library for use in jpeg2ktopam and pamtojpeg2k converters.  Even though it contains vulnerable version of jas_stream_printf(), that function is not used in netpbm.  Parts of the jasper sources that contain a call of jas_stream_printf() that can possibly result in an overflow, are not embedded in the netpbm source.

Removing netpbm maintainer from the CC.

Comment 4 Fedora Update System 2009-10-26 16:59:56 UTC
jasper-1.900.1-13.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/jasper-1.900.1-13.fc11

Comment 5 Fedora Update System 2009-10-26 17:01:05 UTC
jasper-1.900.1-13.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/jasper-1.900.1-13.fc10

Comment 6 Fedora Update System 2009-10-26 17:01:47 UTC
jasper-1.900.1-13.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/jasper-1.900.1-13.el5

Comment 7 Fedora Update System 2009-10-26 17:02:27 UTC
jasper-1.900.1-13.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/jasper-1.900.1-13.el4

Comment 8 Fedora Update System 2009-10-27 06:37:05 UTC
jasper-1.900.1-13.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2009-10-27 06:43:22 UTC
jasper-1.900.1-13.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2009-10-27 21:32:45 UTC
jasper-1.900.1-13.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2009-10-27 21:33:31 UTC
jasper-1.900.1-13.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 errata-xmlrpc 2015-03-18 12:12:24 UTC
This issue has been addressed in the following products:

  RHEV Manager version 3.5

Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html

Comment 13 Tomas Hoger 2016-11-23 21:18:25 UTC
Fix was integrated upstream in version 1.900.2:

https://github.com/mdadams/jasper/commit/d678ccd27b8a062e3bfd4c80d8ce2676a8166a27


Note You need to log in before you can comment on or make changes to this bug.