Bug 1385502 (CVE-2016-8691, CVE-2016-8692)
Summary: | CVE-2016-8691 CVE-2016-8692 jasper: missing SIZ marker segment XRsiz and YRsiz fields range check | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | abhgupta, bmcclain, cfergeau, dblechte, dmcphers, eedri, erik-fedora, jialiu, jokerman, jridky, kseifried, lmeyer, lsurette, mgoldboi, michal.skrivanek, mike, mmccomas, rbalakri, rdieter, rh-spice-bugs, rjones, sherold, slawomir, srevivo, tiwillia, ykaul, ylavi |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | jasper 1.900.4 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-05-09 21:45:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1385516, 1385517, 1385518, 1385519, 1439171, 1439172, 1439173, 1439174 | ||
Bug Blocks: | 1314477 |
Description
Adam Mariš
2016-10-17 08:40:25 UTC
Please, don't make changes to flaw bugs! These should be modified only by members of Product Security. Tracking bugs for Fedora will be created soon. Thanks! Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1385517] Affects: epel-7 [bug 1385519] Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1385516] Affects: epel-5 [bug 1385518] There are two related issues, that got separate CVEs assigned - CVE-2016-8691 and CVE-2016-8692 - even though they should have got a single CVE based on Mitre CVE assignment rules. They have also been addressed via the same upstream commit. Merging the tracking of both CVEs to single bug. Prior to the patch, the jpc_siz_getparms() function failed to sanity check values of XRsiz and YRsiz fields of SIZ marker segment. That could lead to an attempt to perform division by 0, and hence unexpected program termination, inside jpc_dec_process_siz() function. Both issues are covered by this advisory from the original reporter: https://blogs.gentoo.org/ago/2016/10/16/jasper-two-divide-by-zero-in-jpc_dec_process_siz-jpc_dec-c/ CVE-2016-8691 is for the missing check of XRsiz value Upstream bug report: https://github.com/mdadams/jasper/issues/22 Details from the original reporter's advisory: # imginfo -f $FILE warning: trailing garbage in marker segment (2 bytes) ASAN:DEADLYSIGNAL ================================================================= ==31103==ERROR: AddressSanitizer: FPE on unknown address 0x7f5b9237e7df (pc 0x7f5b9237e7df bp 0x7fff3818a0c0 sp 0x7fff38189fa0 T0) #0 0x7f5b9237e7de in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17 #1 0x7f5b923842b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10 #2 0x7f5b923842b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254 #3 0x7f5b92327a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16 #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16 #5 0x7f5b9143f61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17 in jpc_dec_process_siz ==31103==ABORTING CVE-2016-8692 is for the missing check of YRsiz value Upstream bug report: https://github.com/mdadams/jasper/issues/23 Details from the original reporter's advisory: # imginfo -f $FILE warning: trailing garbage in marker segment (5 bytes) ASAN:DEADLYSIGNAL ================================================================= ==24077==ERROR: AddressSanitizer: FPE on unknown address 0x7f78c36f9822 (pc 0x7f78c36f9822 bp 0x7ffe2bff10c0 sp 0x7ffe2bff0fa0 T0) #0 0x7f78c36f9821 in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18 #1 0x7f78c36ff2b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10 #2 0x7f78c36ff2b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254 #3 0x7f78c36a2a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16 #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16 #5 0x7f78c27ba61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18 in jpc_dec_process_siz ==24077==ABORTING *** Bug 1385503 has been marked as a duplicate of this bug. *** Impact of this problem is limited to unexpected application termination. There is currently no plan to backport the fix to already released Red Hat Enterprise Linux versions. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208 |