Bug 1393882 (CVE-2016-9262)
| Summary: | CVE-2016-9262 jasper: integer truncation in jas_image_cmpt_create() | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abhgupta, bmcclain, carnil, cfergeau, dblechte, dmcphers, eedri, erik-fedora, jialiu, jokerman, jridky, kseifried, lmeyer, lsurette, mgoldboi, michal.skrivanek, mike, mmccomas, rbalakri, rdieter, rh-spice-bugs, rjones, sherold, slawomir, srevivo, tiwillia, ykaul, ylavi |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jasper 1.900.22 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-05-09 21:44:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1393883, 1393884, 1393885, 1393887, 1439171, 1439172, 1439173, 1439174 | ||
| Bug Blocks: | 1314477 | ||
|
Description
Adam Mariš
2016-11-10 14:33:29 UTC
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1393884] Affects: epel-7 [bug 1393887] Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1393883] Affects: epel-5 [bug 1393885] Upstream bug report: https://github.com/mdadams/jasper/issues/74 Original reporter's advisory: https://blogs.gentoo.org/ago/2016/11/07/jasper-use-after-free-in-jas_realloc-jas_malloc-c/ Relevant info from the advisory: A crafted image, maybe posted in the past as testcase for another bug, causes in the 1.900.18 version a use-after-free. No fuzzers involved at this time. The complete ASan output: # imginfo -f $FILE Corrupt JPEG data: 19 extraneous bytes before marker 0xda ================================================================= ==21990==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000009b80 at pc 0x7fce4229d29d bp 0x7fffab22f9a0 sp 0x7fffab22f998 READ of size 8 at 0x619000009b80 thread T0 #0 0x7fce4229d29c in jas_realloc /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:182:21 #1 0x7fce422a5e38 in mem_resize /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:1001:14 #2 0x7fce422a5e38 in mem_write /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:1027 #3 0x7fce422a30e5 in jas_stream_flushbuf /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:822:7 #4 0x7fce422a4b4c in jas_stream_flush /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:752:9 #5 0x7fce422a4b4c in jas_stream_seek /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:659 #6 0x7fce42273928 in jas_image_cmpt_create /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_image.c:351:4 #7 0x7fce42276986 in jas_image_addcmpt /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_image.c:723:18 #8 0x7fce4233e3fc in jpg_mkimage /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/jpg/jpg_dec.c:268:7 #9 0x7fce4233e3fc in jpg_decode /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/jpg/jpg_dec.c:183 #10 0x7fce422749bd in jas_image_decode /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_image.c:396:16 #11 0x4f1330 in main /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/appl/imginfo.c:203:16 #12 0x7fce4138961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #13 0x418cb8 in _init (/usr/bin/imginfo+0x418cb8) 0x619000009b80 is located 0 bytes inside of 1056-byte region [0x619000009b80,0x619000009fa0) freed by thread T0 here: #0 0x4bff00 in free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38 #1 0x7fce4229d359 in jas_free /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:225:3 previously allocated by thread T0 here: #0 0x4c0208 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52 #1 0x7fce4229d0b2 in jas_malloc /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:148:13 SUMMARY: AddressSanitizer: heap-use-after-free /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:182:21 in jas_realloc Shadow bytes around the buggy address: 0x0c327fff9320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c327fff9370:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff9380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff9390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff93a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff93b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff93c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==21990==ABORTING Affected version: 1.900.18 Fixed version: 1.900.22 Commit fix: https://github.com/mdadams/jasper/commit/634ce8e8a5accc0fa05dd2c20d42b4749d4b2735 This is one of the problems that were already discussed as part of CVE-2015-5203, see bug 1254242 comment 11. There was an integer overflow problem in the jas_image_cmpt_create() function. Earlier patches ensured that the result of the multiplication can fit into size_t type, but later passed the value to the jas_stream_memopen() function, which size with the type of int. This integer truncation could lead to bypass of the original integer overflow fix. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208 |