Bug 1255710 (CVE-2015-5221)

Summary: CVE-2015-5221 jasper: use-after-free and double-free flaws in mif_process_cmpt()
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, dominik.mierzejewski, erik-fedora, jdetiber, jialiu, jkeck, jokerman, jpopelka, jrusnack, kseifried, lmeyer, mike, mmccomas, rdieter, rjones
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jasper 1.900.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-09 21:42:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1255714, 1255715, 1255716, 1255717, 1260926, 1439171, 1439172, 1439173, 1439174    
Bug Blocks: 1254249, 1314477    

Description Adam Mariš 2015-08-21 11:40:26 UTC 
A use-after-free which leads to double-free vulnerability was found in Jasper JPEG-2000 library, in src/libjasper/mif/mif_cod.c file.

    553                 case MIF_HSAMP:
    554                         cmpt->sampperx = atoi(jas_tvparser_getval(tvp));
    555                         break;
    556                 case MIF_VSAMP:
    557                         cmpt->samppery = atoi(jas_tvparser_getval(tvp));
    558                         break;

    572         jas_tvparser_destroy(tvp);
    573         if (!cmpt->sampperx || !cmpt->samppery) {
    574                 goto error;
    575         }
    576         if (mif_hdr_addcmpt(hdr, hdr->numcmpts, cmpt)) {
    577                 goto error;
    578         }
    579         return 0;
    580
    581 error:
    582         if (cmpt) {
    583                 mif_cmpt_destroy(cmpt);
    584         }
    585         if (tvp) {
    586                 jas_tvparser_destroy(tvp);
    587         }
    588         return -1;

Both tvp and tvp->buf are freed by jas_tvparser_destroy(tvp), but if one of the two following branch conditions is taken, a second call to jas_tvparser_destroy(tvp) occurs. It is a use-after-free because before calling free in jas_tvparser_destroy there is a check to tvp->buf, while tvp could have been freed. Two double free take place just after this check (on tvp->buf and tvp).

Public via:

http://seclists.org/oss-sec/2015/q3/408

Acknowledgements:

Name: Josselin Feist
Comment 1 Adam Mariš 2015-08-21 11:47:03 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1255715]
Comment 2 Adam Mariš 2015-08-21 11:47:06 UTC 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1255714]
Comment 3 Adam Mariš 2015-08-21 11:47:44 UTC 
Created jasper tracking bugs for this issue:

Affects: epel-5 [bug 1255716]
Comment 4 Adam Mariš 2015-08-21 11:48:03 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1255717]
Comment 7 Fedora Update System 2016-08-15 21:21:38 UTC 
jasper-1.900.1-33.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-09-09 21:51:51 UTC 
jasper-1.900.1-33.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Tomas Hoger 2016-11-23 21:41:02 UTC 
Fixed in jasper 1.900.2:

https://github.com/mdadams/jasper/commit/df5d2867e8004e51e18b89865bc4aa69229227b3
Comment 13 errata-xmlrpc 2017-05-09 17:15:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208