Bug 1388863 (CVE-2016-8880)

Summary: CVE-2016-8880 jasper: heap buffer overflow in jpc_dec_cp_setfromcox() (rejected duplicate of CVE-2011-4516)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, bmcclain, cfergeau, dblechte, dmcphers, eedri, erik-fedora, gklein, jialiu, jokerman, jridky, kseifried, lmeyer, lsurette, mgoldboi, michal.skrivanek, mike, mmccomas, rbalakri, rdieter, rh-spice-bugs, rjones, sherold, srevivo, tiwillia, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jasper 1.900.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-14 14:38:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1388873, 1388874, 1388875, 1388876    
Bug Blocks: 1314477    

Description Adam Mariš 2016-10-26 10:29:36 UTC 
Heap-based buffer overflow was found in jpc_dec_cp_setfromcox() triggered by malformed jpeg2000 file.

Upstream bug:

https://github.com/mdadams/jasper/issues/28

CVE assignment:

http://seclists.org/oss-sec/2016/q4/216
Comment 1 Adam Mariš 2016-10-26 10:51:58 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1388874]
Affects: epel-7 [bug 1388876]
Comment 2 Adam Mariš 2016-10-26 10:52:16 UTC 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1388873]
Affects: epel-5 [bug 1388875]
Comment 3 Tomas Hoger 2016-12-14 14:38:14 UTC 
This really is a duplicate of CVE-2011-4516 (bug 747726), with slightly different symptoms.  The problem is missing check of the maximum value for the number of resolution levels (numrlvls) in the jpc_cox_getcompparms() function.

This could lead to out-of-bounds write directly in the jpc_cox_getcompparms() function as originally described for CVE-2011-4516 - when writing to rlvls[] array inside jpc_coxcp_t type structure compparms.

In case of the CVE-2016-8880 reproducer, out-of-bounds write in jpc_cox_getcompparms() was avoided, and a different out-of-bounds reads and writes were triggered in jpc_dec_cp_setfromcox() - reading from the mentioned rlvls[] array and writing to prcwidthexpns[] and prcheightexpns[] arrays inside of the ccp structure of type jpc_dec_ccp_t.

In Red Hat products, this issue was already corrected in previous updates for CVE-2011-4516.

Problem was addressed upstream in version 1.900.5 via this commit:

https://github.com/mdadams/jasper/commit/0d22460816ea58e74a124158fa6cc48efb709a47
Comment 5 Andrej Nemec 2017-01-18 09:37:53 UTC 
This CVE was rejected by Mitre:

Common Vulnerabilities and Exposures assigned an identifier CVE-2016-8880 to
the following vulnerability:

Name: CVE-2016-8880
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8880
Assigned: 20161022

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs:
CVE-2011-4516. Reason: This candidate is a duplicate of CVE-2011-4516.
Notes: All CVE users should reference CVE-2011-4516 instead of this
candidate. All references and descriptions in this candidate have been
removed to prevent accidental usage.
Comment 6 Doran Moppert 2020-06-17 08:30:51 UTC 

*** This bug has been marked as a duplicate of bug 747726 ***
Comment 7 Doran Moppert 2020-06-17 08:38:20 UTC 
Statement:

This flaw was found to be a duplicate of CVE-2011-4516. Please see https://access.redhat.com/security/cve/CVE-2011-4516 for information about affected products and security errata.