Bug 1388864 (CVE-2016-8881)

Summary: CVE-2016-8881 jasper: insufficient memory allocation in jpc_crg_getparms() (rejected duplicate of CVE-2011-4517)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, bmcclain, cfergeau, dblechte, dmcphers, eedri, erik-fedora, gklein, jialiu, jokerman, jridky, kseifried, lmeyer, lsurette, mgoldboi, michal.skrivanek, mike, mmccomas, rbalakri, rdieter, rh-spice-bugs, rjones, sherold, srevivo, tiwillia, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jasper 1.900.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-15 13:03:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1388873, 1388874, 1388875, 1388876    
Bug Blocks: 1314477    

Description Adam Mariš 2016-10-26 10:33:45 UTC 
Heap buffer overflow was found in jpc_getuint16() triggered by specially crafted input file.

Upstream bug:

https://github.com/mdadams/jasper/issues/29

CVE assignment:

http://seclists.org/oss-sec/2016/q4/216
Comment 1 Adam Mariš 2016-10-26 10:51:23 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1388874]
Affects: epel-7 [bug 1388876]
Comment 2 Adam Mariš 2016-10-26 10:51:41 UTC 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1388873]
Affects: epel-5 [bug 1388875]
Comment 3 Tomas Hoger 2016-12-15 13:03:05 UTC 
This is duplicate of CVE-2011-4517 (bug 747726).  The problem was in the jpc_crg_getparms() function, which incorrectly allocated memory for cstate->numcomps.  When allocating memory, function assume that each item in the array has sizeof(uint_fast16_t).  However, it later handled each item as being of type jpc_crgcomp_t, a structure containing two uint_fast16_t type variables.  Therefore, it allocated approximately half of the required memory, leading to heap-based buffer overflow later.

In Red Hat products, this issue was already corrected in previous updates for CVE-2011-4517.

Problem was addressed upstream in version 1.900.5 via this commit:

https://github.com/mdadams/jasper/commit/0d22460816ea58e74a124158fa6cc48efb709a47
Comment 5 Andrej Nemec 2017-01-18 09:39:51 UTC 
This CVE was rejected by Mitre:

Common Vulnerabilities and Exposures assigned an identifier CVE-2016-8881 to
the following vulnerability:

Name: CVE-2016-8881
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8881
Assigned: 20161022

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs:
CVE-2011-4517. Reason: This candidate is a duplicate of CVE-2011-4517.
Notes: All CVE users should reference CVE-2011-4517 instead of this
candidate. All references and descriptions in this candidate have been
removed to prevent accidental usage.
Comment 6 Doran Moppert 2020-06-17 08:39:38 UTC 
Statement:

This flaw was found to be a duplicate of CVE-2011-4517. Please see https://access.redhat.com/security/cve/CVE-2011-4517 for information about affected products and security errata.
Comment 7 Doran Moppert 2020-06-17 08:40:02 UTC 

*** This bug has been marked as a duplicate of bug 747726 ***