Bug 1434458 (CVE-2017-6850)
Summary: | CVE-2017-6850 jasper: uninitialized pointer use in jp2_cdef_destroy() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abhgupta, bmcclain, cfergeau, dblechte, eedri, erik-fedora, jridky, kseifried, lsurette, mgoldboi, michal.skrivanek, mike, rbalakri, rdieter, rh-spice-bugs, rjones, sherold, srevivo, tiwillia, ykaul, ylavi |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | jasper 2.0.13 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-03-31 15:02:36 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1434464, 1434465, 1434466, 1434467 | ||
Bug Blocks: | 1314477 |
Description
Adam Mariš
2017-03-21 14:31:34 UTC
Created jasper tracking bugs for this issue: Affects: epel-5 [bug 1434466] Affects: fedora-all [bug 1434464] Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1434465] Affects: fedora-all [bug 1434467] The problem here was that the jp2_box_get() function, unlike jp2_box_create(), did not properly initialize members of the jp2_box_t structure after allocating it. If some error occurred while reading data from the file before the structure was fully initialized causing jasper to call jp2_box_destroy(). While destroying the structure, and uninitialized pointer could be used or freed (e.g. in the jp2_cdef_destroy() function). This issue did not affect the versions of jasper as shipped in Red Hat Enterprise Linux, as they used jas_calloc() instead of jas_malloc() to allocate jp2_box_t in jp2_box_get() causing it to be initialized. This fix was included as part of the fix for CVE-2008-3520 (see bug 461476). There's no released upstream version including the fix, but as the latest released is 2.0.12, and the fix is already committed, the next version - presumably 2.0.13 - should contain it. Original reporter's advisory: https://blogs.gentoo.org/ago/2017/01/25/jasper-null-pointer-dereference-in-jp2_cdef_destroy-jp2_cod-c/ Relevant information from the advisory: Another round of fuzzing shows that a crafted image causes a NULL pointer access. The complete ASan output: # imginfo -f $FILE cannot parse box data ASAN:DEADLYSIGNAL ================================================================= ==6697==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041da35 bp 0xbebebebebebebeae sp 0x7fff60ad6480 T0) #0 0x41da34 in atomic_compare_exchange_strong /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 #1 0x41da34 in __asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:468 #2 0x41da34 in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:522 #3 0x41da34 in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:725 #4 0x4d271c in free /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:50 #5 0x7f86ef11c995 in jp2_cdef_destroy /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:230:3 #6 0x7f86ef11e18e in jp2_box_destroy /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:212:3 #7 0x7f86ef11e18e in jp2_box_get /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:319 #8 0x7f86ef1219f6 in jp2_decode /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_dec.c:159:16 #9 0x7f86ef0e4214 in jas_image_decode /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/base/jas_image.c:444:16 #10 0x50a3be in main /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/appl/imginfo.c:238:16 #11 0x7f86ee1c478f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #12 0x419cd8 in _start (/usr/bin/imginfo+0x419cd8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in atomic_compare_exchange_strong ==6697==ABORTING Affected version: 2.0.10 Fixed version: 2.0.13 (not released atm) Commit fix: https://github.com/mdadams/jasper/commit/e96fc4fdd525fa0ede28074a7e2b1caf94b58b0d Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: CVE-2017-6850 Reproducer: https://github.com/asarubbo/poc/blob/master/00124-jasper-nullptr-jp2_cdef_destroy Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1434464] |