Bug 1385499 (CVE-2016-8690, CVE-2016-8884, CVE-2016-8885)

Summary: CVE-2016-8690 CVE-2016-8884 CVE-2016-8885 jasper: missing jas_matrix_create() parameter checks
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, anemec, bmcclain, cfergeau, dblechte, dmcphers, eedri, erik-fedora, jialiu, jokerman, jridky, kseifried, lmeyer, lsurette, mgoldboi, michal.skrivanek, mike, mmccomas, rbalakri, rdieter, rh-spice-bugs, rjones, sherold, slawomir, srevivo, tiwillia, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jasper 1.900.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-09 21:43:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1385516, 1385517, 1385518, 1385519, 1439171, 1439172, 1439173, 1439174    
Bug Blocks: 1314477    

Description Adam Mariš 2016-10-17 08:32:33 UTC 
Null pointer dereference vulnerability was found in bmp_getdata triggered by invoking imginfo command on specially crafted BMP image.

Upstream patch:

https://github.com/mdadams/jasper/commit/8f62b4761711d036fd8964df256b938c809b7fca

CVE assignment:

http://www.openwall.com/lists/oss-security/2016/10/16/14
Comment 1 Adam Mariš 2016-10-17 08:55:04 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1385517]
Affects: epel-7 [bug 1385519]
Comment 2 Adam Mariš 2016-10-17 08:55:19 UTC 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1385516]
Affects: epel-5 [bug 1385518]
Comment 3 Andrej Nemec 2016-10-19 13:01:26 UTC 
Upstream patch does not fix this issue according to the reporter:

http://seclists.org/oss-sec/2016/q4/172
Comment 4 Josef Ridky 2016-10-20 05:28:32 UTC 
Fixed in: https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698
Comment 5 Tomas Hoger 2016-11-30 15:21:14 UTC 
*** Bug 1388831 has been marked as a duplicate of this bug. ***
Comment 6 Tomas Hoger 2016-11-30 21:45:26 UTC 
Here is original reporter's advisory:

https://blogs.gentoo.org/ago/2016/10/16/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c/

It provides to crash stack traces indicating a problem in the BMP decoder:

# imginfo -f $FILE
==26929==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8fc7fd53b5 bp 0x7ffcdf755110 sp 0x7ffcdf754de0 T0)
    #0 0x7f8fc7fd53b4 in bmp_getdata /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:385:5
    #1 0x7f8fc7fd53b4 in bmp_decode /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:190
    #2 0x7f8fc7fa1a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #3 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #4 0x7f8fc70b961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.                        
SUMMARY: AddressSanitizer: SEGV /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:385:5 in bmp_getdata
==26929==ABORTING


# imginfo -f $FILE
==15555==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f02a9c081ee bp 0x7ffd1e22e110 sp 0x7ffd1e22dde0 T0)
    #0 0x7f02a9c081ed in bmp_getdata /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:383:5
    #1 0x7f02a9c081ed in bmp_decode /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:190
    #2 0x7f02a9bd4a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #3 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #4 0x7f02a8cec61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:383:5 in bmp_getdata
==15555==ABORTING


These issues were reported upstream in the following bug reports:

https://github.com/mdadams/jasper/issues/24
https://github.com/mdadams/jasper/issues/21

and addressed in version 1.900.5 via this commit:

https://github.com/mdadams/jasper/commit/8f62b4761711d036fd8964df256b938c809b7fca

A single CVE id CVE-2016-8690 was originally assigned for these issues:

http://seclists.org/oss-sec/2016/q4/155


However, that fix did not address the underlying issue.  The change to the bmp_getint32() function prevented triggering of the problem with originally provided reproducers, but reporter was able to create a different reproducer that does not trigger the problem in versions prior to 1.900.5, but does trigger it in 1.900.5.

The following advisory was published for the incomplete fix:

https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690/

providing the following crash stack traces:

# imginfo -f $FILE
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.
skipping unknown data in BMP file
ASAN:DEADLYSIGNAL
=================================================================
==19659==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f90527a18fe bp 0x7ffcfacc8070 sp 0x7ffcfacc7ee0 T0)
    #0 0x7f90527a18fd in bmp_getdata /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:394:5
    #1 0x7f90527a18fd in bmp_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:201
    #2 0x7f9052748f39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16
    #3 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16
    #4 0x7f905185761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x418e68 in _init (/usr/bin/imginfo+0x418e68)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:394:5 in bmp_getdata
==19659==ABORTING

# imginfo -f $FILE
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.
ASAN:DEADLYSIGNAL
=================================================================
==11248==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f888b2f5a44 bp 0x7ffea5b3b070 sp 0x7ffea5b3aee0 T0)
    #0 0x7f888b2f5a43 in bmp_getdata /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:398:5
    #1 0x7f888b2f5a43 in bmp_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:201
    #2 0x7f888b29cf39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16
    #3 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16
    #4 0x7f888a3ab61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x418e68 in _init (/usr/bin/imginfo+0x418e68)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:398:5 in bmp_getdata
==11248==ABORTING


Upstream bug report for the incomplete fix:

https://github.com/mdadams/jasper/issues/33

addressed in version 1.900.9 via this commit:

https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698

The relevant part of the fix is change to the jas_matrix_create() function to ensure that its numrows and numcols arguments are not negative.  Negative values could cause the created matrix to be initialized into an inconsistent state - with data_ being NULL and datasize_ being non-0 / negative.  That could later lead to dereference of the NULL data_ pointer.  It's likely to be write attempt close to NULL, but can theoretically be further away from NULL and hence accessing writeable memory.  Provided test case that trigger the problem via BMP decoder only trigger a write close to NULL, limiting impact to crash.

Two separate CVE ids CVE-2016-8884 and CVE-2016-8885 were assigned for the incomplete fix, even though the original issue only got single CVE.  Some discussion of that can be found here:

http://seclists.org/oss-sec/2016/q4/221
Comment 7 Tomas Hoger 2016-11-30 21:53:27 UTC 
(In reply to Tomas Hoger from comment #6)
 > addressed in version 1.900.9 via this commit:
> 
> https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698

This commit also adds additional sanity checks to bmp_decode(), which do not prevent crashes on the provided reproducers.
Comment 12 errata-xmlrpc 2017-05-09 17:17:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208