Bug 1396977 (CVE-2016-9395)
| Summary: | CVE-2016-9395 jasper: reachable assertion failure in jas_seq2d_create() | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | abhgupta, bmcclain, cfergeau, dblechte, dmcphers, eedri, erik-fedora, gklein, jialiu, jokerman, jridky, kseifried, lmeyer, lsurette, mgoldboi, michal.skrivanek, mike, mmccomas, rbalakri, rdieter, rh-spice-bugs, rjones, sherold, slawomir, srevivo, tiwillia, ykaul, ylavi |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jasper 1.900.25 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-30 12:26:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1396987, 1396988, 1396989 | ||
| Bug Blocks: | 1314477 | ||
|
Description
Adam Mariš
2016-11-21 10:16:21 UTC
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1396987] Affects: epel-7 [bug 1396989] Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1396986] Affects: epel-5 [bug 1396988] Upstream bug report: https://github.com/mdadams/jasper/issues/82 Original reporter's advisory: https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure/ Relevant information from the advisory: Affected version: 1.900.22 Output/failure: warning: trailing garbage in marker segment (9 bytes) warning: trailing garbage in marker segment (40 bytes) warning: ignoring unknown marker segment (0xffee) type = 0xffee (UNKNOWN); len = 23;1f 32 ff ff ff 00 10 00 3d 4d 00 01 32 ff 00 e4 00 10 00 00 4f warning: trailing garbage in marker segment (34 bytes) imginfo: /tmp/portage/media-libs/jasper-1.900.22/work/jasper-1.900.22/src/libjasper/base/jas_seq.c:90: jas_matrix_t *jas_seq2d_create(int, int, int, int): Assertion `xstart <= xend && ystart <= yend' failed. Commit fix: https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a Fixed version: 1.900.25 Testcase: https://github.com/asarubbo/poc/blob/master/00043-jasper-assert-jas_matrix_t CVE: CVE-2016-9395 The problem triggered by the reporter's reproducer is that the jas_seq2d_create() function is called with arguments taken from variables of the uint_fast32_t type, while all function arguments are of type int. One of the values passed is greater than INT_MAX, causing it to be interpreted as negative in jas_seq2d_create(), resulting in end value greater than start value. One change included in the commit d42b238 linked above, that was applied in version 1.900.25, is change of the jas_seq2d_create() argument types form in to int_fast32_t. On certain architectures, such as x86_64, int_fast32_t is 64 bit type, while int is 32 bit. Therefore, values between INT_MAX and UINT_MAX are no longer handled as negative in jas_seq2d_create(). The same would not apply to architectures where sizeof(int) == sizeof(int_fast32_t). It is unclear if it would be possible to call the function with values over 2^63, which would cause similar problem for 64 bit int_fast32_t. It should also be noted that the fix changes public API/ABI, and hence can not be backported as is. The provided reproducer also does not trigger assertion failure once other security fixes are applied. Considering all this, there's currently no plan to fix this problem in released Red Hat Enterprise Linux versions. |