Bug 1385502 (CVE-2016-8691, CVE-2016-8692)

Summary: CVE-2016-8691 CVE-2016-8692 jasper: missing SIZ marker segment XRsiz and YRsiz fields range check
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, bmcclain, cfergeau, dblechte, dmcphers, eedri, erik-fedora, jialiu, jokerman, jridky, kseifried, lmeyer, lsurette, mgoldboi, michal.skrivanek, mike, mmccomas, rbalakri, rdieter, rh-spice-bugs, rjones, sherold, slawomir, srevivo, tiwillia, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jasper 1.900.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-09 21:45:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1385516, 1385517, 1385518, 1385519, 1439171, 1439172, 1439173, 1439174    
Bug Blocks: 1314477    

Description Adam Mariš 2016-10-17 08:40:25 UTC
Divide by zero vulnerability was found in jpc_dec_process_siz triggered by invoking imginfo command on specially crafted file.

Upstream patch:

https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020

CVE assignment:

http://www.openwall.com/lists/oss-security/2016/10/16/14

Comment 1 Adam Mariš 2016-10-17 08:49:20 UTC
Please, don't make changes to flaw bugs! These should be modified only by members of Product Security. Tracking bugs for Fedora will be created soon.

Thanks!

Comment 2 Adam Mariš 2016-10-17 08:55:35 UTC
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1385517]
Affects: epel-7 [bug 1385519]

Comment 3 Adam Mariš 2016-10-17 08:55:53 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1385516]
Affects: epel-5 [bug 1385518]

Comment 4 Tomas Hoger 2016-11-30 10:45:43 UTC
There are two related issues, that got separate CVEs assigned - CVE-2016-8691 and CVE-2016-8692 - even though they should have got a single CVE based on Mitre CVE assignment rules.  They have also been addressed via the same upstream commit.  Merging the tracking of both CVEs to single bug.

Prior to the patch, the jpc_siz_getparms() function failed to sanity check values of XRsiz and YRsiz fields of SIZ marker segment.  That could lead to an attempt to perform division by 0, and hence unexpected program termination, inside jpc_dec_process_siz() function.

Both issues are covered by this advisory from the original reporter:

https://blogs.gentoo.org/ago/2016/10/16/jasper-two-divide-by-zero-in-jpc_dec_process_siz-jpc_dec-c/


CVE-2016-8691 is for the missing check of XRsiz value

Upstream bug report:

https://github.com/mdadams/jasper/issues/22

Details from the original reporter's advisory:

# imginfo -f $FILE
warning: trailing garbage in marker segment (2 bytes)
ASAN:DEADLYSIGNAL
=================================================================
==31103==ERROR: AddressSanitizer: FPE on unknown address 0x7f5b9237e7df (pc 0x7f5b9237e7df bp 0x7fff3818a0c0 sp 0x7fff38189fa0 T0)
    #0 0x7f5b9237e7de in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17
    #1 0x7f5b923842b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10
    #2 0x7f5b923842b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254
    #3 0x7f5b92327a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #5 0x7f5b9143f61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17 in jpc_dec_process_siz
==31103==ABORTING


CVE-2016-8692 is for the missing check of YRsiz value

Upstream bug report:

https://github.com/mdadams/jasper/issues/23

Details from the original reporter's advisory:

# imginfo -f $FILE
warning: trailing garbage in marker segment (5 bytes)
ASAN:DEADLYSIGNAL
=================================================================
==24077==ERROR: AddressSanitizer: FPE on unknown address 0x7f78c36f9822 (pc 0x7f78c36f9822 bp 0x7ffe2bff10c0 sp 0x7ffe2bff0fa0 T0)
    #0 0x7f78c36f9821 in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18
    #1 0x7f78c36ff2b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10
    #2 0x7f78c36ff2b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254
    #3 0x7f78c36a2a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #5 0x7f78c27ba61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18 in jpc_dec_process_siz
==24077==ABORTING

Comment 7 Tomas Hoger 2016-11-30 11:34:49 UTC
*** Bug 1385503 has been marked as a duplicate of this bug. ***

Comment 8 Tomas Hoger 2016-11-30 11:36:30 UTC
Impact of this problem is limited to unexpected application termination.  There is currently no plan to backport the fix to already released Red Hat Enterprise Linux versions.

Comment 10 errata-xmlrpc 2017-05-09 17:17:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208