Bug 1314466 (CVE-2016-1577)

Summary: CVE-2016-1577 jasper: double free issue in jas_iccattrval_destroy()
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, alonbl, bmcclain, cfergeau, dblechte, dmcphers, erik-fedora, jialiu, jokerman, jpopelka, kseifried, lmeyer, lsurette, mgoldboi, michal.skrivanek, mmccomas, phracek, rbalakri, rdieter, rh-spice-bugs, rjones, sherold, slawomir, srevivo, tiwillia, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jasper 1.900.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-09 21:41:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1314468, 1314469, 1314470, 1314471, 1439171, 1439172, 1439173, 1439174    
Bug Blocks: 1314477    

Description Adam Mariš 2016-03-03 16:57:46 UTC 
A double free vulnerability in jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file was found.

Vulnerable code:

src/libjasper/base/jas_icc.c:
258     jas_iccprof_t *jas_iccprof_load(jas_stream_t *in)
259     {
...
294             for (i = 0; i < numtags; ++i) {
295                     tagtabent = &prof->tagtab.ents[i];
296                     if (tagtabent->off == JAS_CAST(jas_iccuint32_t, prevoff)) {
297                             if (prevattrval) {
298                                     if (!(attrval = jas_iccattrval_clone(prevattrval)))
299                                             goto error;
300                                     if (jas_iccprof_setattr(prof, tagtabent->tag, attrval))
301                                             goto error;
302                                     jas_iccattrval_destroy(attrval);
303                             } else {
304     #if 0
305                                     jas_eprintf("warning: skipping unknown tag type\n");
306     #endif
307                             }
308                             continue;
309                     }
310                     reloff = tagtabent->off - curoff;
311                     if (reloff > 0) {
312                             if (jas_stream_gobble(in, reloff) != reloff)
313                                     goto error;
314                             curoff += reloff;
315                     } else if (reloff < 0) {
316                             /* This should never happen since we read the tagged
317                             element data in a single pass. */
318                             abort();
319                     }
320                     prevoff = curoff;
321                     if (jas_iccgetuint32(in, &type)) {
322                             goto error;
323                     }
324                     if (jas_stream_gobble(in, 4) != 4) {
325                             goto error;
326                     }
327                     curoff += 8;
328                     if (!(attrvalinfo = jas_iccattrvalinfo_lookup(type))) {
329     #if 0
330                             jas_eprintf("warning: skipping unknown tag type\n");
331     #endif
332                             prevattrval = 0;
333                             continue;
334                     }
335                     if (!(attrval = jas_iccattrval_create(type))) {
336                             goto error;
337                     }
...
353     error:
354             if (prof)
355                     jas_iccprof_destroy(prof);
356             if (attrval)
357                     jas_iccattrval_destroy(attrval);
358             return 0;
359     }

attrval variable is assigned on line 298 and freed with the call to jas_iccattrval_destroy() on line 302. If the tests on lines 312, 321, or 324 are true, the same pointer will be passed a second time to jas_iccattrval_destroy() on line 357.

Proposed patch:

http://seclists.org/oss-sec/2016/q1/att-507/CVE-2016-1577.patch

Public via:

http://seclists.org/oss-sec/2016/q1/507
Comment 1 Adam Mariš 2016-03-03 16:59:08 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1314469]
Affects: epel-7 [bug 1314471]
Comment 2 Adam Mariš 2016-03-03 16:59:22 UTC 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1314468]
Affects: epel-5 [bug 1314470]
Comment 3 Fedora Update System 2016-08-15 21:21:05 UTC 
jasper-1.900.1-33.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2016-09-09 21:51:13 UTC 
jasper-1.900.1-33.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Tomas Hoger 2016-11-23 21:28:39 UTC 
The original Ubuntu bug report:

https://bugs.launchpad.net/ubuntu/+source/jasper/+bug/1547865


Upstream commit, applied in version 1.900.2:

https://github.com/mdadams/jasper/commit/74ea22a7a4fe186e0a0124df25e19739b77c4a29
Comment 8 errata-xmlrpc 2017-05-09 17:16:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208