Bug 1434458 (CVE-2017-6850)

Summary: CVE-2017-6850 jasper: uninitialized pointer use in jp2_cdef_destroy()
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, bmcclain, cfergeau, dblechte, eedri, erik-fedora, jridky, kseifried, lsurette, mgoldboi, michal.skrivanek, mike, rbalakri, rdieter, rh-spice-bugs, rjones, sherold, srevivo, tiwillia, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jasper 2.0.13 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-31 15:02:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1434464, 1434465, 1434466, 1434467    
Bug Blocks: 1314477    

Description Adam Mariš 2017-03-21 14:31:34 UTC
Null pointer dereference vulnerability in jp2_cdef_destroy was found.

Upstream bug:

https://github.com/mdadams/jasper/issues/112

Upstream patch:

https://github.com/mdadams/jasper/commit/e96fc4fdd525fa0ede28074a7e2b1caf94b58b0d

Reference:

http://seclists.org/oss-sec/2017/q1/191

Comment 1 Adam Mariš 2017-03-21 14:44:59 UTC
Created jasper tracking bugs for this issue:

Affects: epel-5 [bug 1434466]
Affects: fedora-all [bug 1434464]


Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1434465]
Affects: fedora-all [bug 1434467]

Comment 2 Tomas Hoger 2017-03-31 14:58:43 UTC
The problem here was that the jp2_box_get() function, unlike jp2_box_create(), did not properly initialize members of the jp2_box_t structure after allocating it.  If some error occurred while reading data from the file before the structure was fully initialized causing jasper to call jp2_box_destroy().  While destroying the structure, and uninitialized pointer could be used or freed (e.g. in the jp2_cdef_destroy() function).

This issue did not affect the versions of jasper as shipped in Red Hat Enterprise Linux, as they used jas_calloc() instead of jas_malloc() to allocate jp2_box_t in jp2_box_get() causing it to be initialized.  This fix was included as part of the fix for CVE-2008-3520 (see bug 461476).

Comment 3 Tomas Hoger 2017-03-31 14:59:57 UTC
There's no released upstream version including the fix, but as the latest released is 2.0.12, and the fix is already committed, the next version - presumably 2.0.13 - should contain it.

Comment 4 Tomas Hoger 2017-03-31 15:01:03 UTC
Original reporter's advisory:

https://blogs.gentoo.org/ago/2017/01/25/jasper-null-pointer-dereference-in-jp2_cdef_destroy-jp2_cod-c/

Relevant information from the advisory:

Another round of fuzzing shows that a crafted image causes a NULL pointer access.

The complete ASan output:

# imginfo -f $FILE
cannot parse box data
ASAN:DEADLYSIGNAL
=================================================================
==6697==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041da35 bp 0xbebebebebebebeae sp 0x7fff60ad6480 T0)
    #0 0x41da34 in atomic_compare_exchange_strong /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81
    #1 0x41da34 in __asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:468
    #2 0x41da34 in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:522
    #3 0x41da34 in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:725
    #4 0x4d271c in free /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:50
    #5 0x7f86ef11c995 in jp2_cdef_destroy /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:230:3
    #6 0x7f86ef11e18e in jp2_box_destroy /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:212:3
    #7 0x7f86ef11e18e in jp2_box_get /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:319
    #8 0x7f86ef1219f6 in jp2_decode /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_dec.c:159:16
    #9 0x7f86ef0e4214 in jas_image_decode /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/base/jas_image.c:444:16
    #10 0x50a3be in main /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/appl/imginfo.c:238:16
    #11 0x7f86ee1c478f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #12 0x419cd8 in _start (/usr/bin/imginfo+0x419cd8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in atomic_compare_exchange_strong
==6697==ABORTING

Affected version: 2.0.10

Fixed version: 2.0.13 (not released atm)

Commit fix:
https://github.com/mdadams/jasper/commit/e96fc4fdd525fa0ede28074a7e2b1caf94b58b0d

Credit: This bug was discovered by Agostino Sarubbo of Gentoo.

CVE: CVE-2017-6850

Reproducer:
https://github.com/asarubbo/poc/blob/master/00124-jasper-nullptr-jp2_cdef_destroy

Comment 6 Andrej Nemec 2017-07-19 15:22:37 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1434464]