Bug 1179282 (CVE-2014-8157)
| Summary: | CVE-2014-8157 jasper: dec->numtiles off-by-one check in jpc_dec_process_sot() (oCERT-2015-001) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | acathrow, alonbl, bazulay, bleanhar, bmcclain, ccoleman, cfergeau, dblechte, dmcphers, ecohen, gklein, idith, iheim, jdetiber, jialiu, jkeck, jokerman, jpopelka, jrusnack, kseifried, lmeyer, lsurette, michal.skrivanek, mmccomas, phracek, rbalakri, security-response-team, yeylon |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jasper 1.900.2 | Doc Type: | Bug Fix |
| Doc Text: |
An off-by-one flaw, leading to a heap-based buffer overflow, was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-18 13:25:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1182812, 1183671, 1183672, 1183673, 1183674, 1184750, 1184751, 1184752, 1184753 | ||
| Bug Blocks: | 1167538, 1179289 | ||
(In reply to Vasyl Kaigorodov from comment #0) > Fix proposal: > > if ( dec->numtiles == 0 || !(dec->tiles = jas_malloc(dec->numtiles * > sizeof(jpc_dec_tile_t)))) { > return -1; > } LGTM While the patch looks harmless, it's unclear to me how it helps as the issue is not clearly identified in the report. As far as I can see, all dec->tiles[] accesses user dec->numtiles as an upper bound, so there does not seem to be any issue with overflowing under-allocated buffer. It's unclear where the reported user-after-free-like problem should happen. (In reply to Tomas Hoger from comment #2) > As far as I can see, all dec->tiles[] accesses user dec->numtiles as an upper > bound, so there does not seem to be any issue with overflowing under-allocated > buffer. The check in jpc_dec_process_sot() is actually off-by-one: if (JAS_CAST(int, sot->tileno) > dec->numtiles) { jas_eprintf("invalid tile number in SOT marker segment\n"); return -1; } /* Set the current tile. */ dec->curtile = &dec->tiles[sot->tileno]; tile = dec->curtile; sot->tileno equal to dec->numtiles already makes dec->tiles[] access outside of the allocated bounds. Public now via oCERT-2015-001. External References: http://www.ocert.org/advisories/ocert-2015-001.html Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1184751] Affects: epel-7 [bug 1184753] Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1184750] Affects: epel-5 [bug 1184752] Patch that was added to Fedora jasper packages: http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8157.patch Statement: (none) This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2015:0074 https://rhn.redhat.com/errata/RHSA-2015-0074.html This issue has been addressed in the following products: OpenShift Enterprise 2.0, 2.1 and 2.2 Via: RHBA-2015:0075 https://rhn.redhat.com/errata/RHBA-2015-0075.html RHBA-2015:0076 https://rhn.redhat.com/errata/RHBA-2015-0076.html RHBA-2015:0077 https://rhn.redhat.com/errata/RHBA-2015-0077.html mingw-jasper-1.900.1-26.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. mingw-jasper-1.900.1-26.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. jasper-1.900.1-30.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. jasper-1.900.1-28.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. mingw-jasper-1.900.1-26.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: RHEV Manager version 3.5 Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html jasper-1.900.1-15.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. Fix was integrated upstream in version 1.900.2: https://github.com/mdadams/jasper/commit/3fd4067496d8ef70f11841d7492ddeb1f1d56915 |
oCERT reports an issue in jasper discovered by pyddeh: """ jpc_dec.c:1204: dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); dec->numtiles = dec->numhtiles * dec->numvtiles; if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { return -1; } the dec->XXX in JPC_CEILDIV are all directly from the codestream, so dec->numtiles can be 0. In that case, the minimum-sized chunk returned by malloc can, depending on the code stream, be used later. I think this can cause the same problems as a use after free. Fix proposal: if ( dec->numtiles == 0 || !(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { return -1; } """ Acknowledgement: Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges pyddeh as the original reporter.