Bug 1435324 (CVE-2017-6851)

Summary: CVE-2017-6851 jasper: Invalid memory read in jas_matrix_bindsub (jas_seq.c)
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, bmcclain, cfergeau, eedri, erik-fedora, jridky, lsurette, mgoldboi, michal.skrivanek, mike, rh-spice-bugs, rjones, srevivo, tiwillia, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 11:52:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1434464, 1434465, 1434467    
Bug Blocks: 1449402    

Description Andrej Nemec 2017-03-23 14:28:23 UTC 
The jas_matrix_bindsub function in jas_seq.c in JasPer allows attackers to cause a denial of service (invalid read) via a crafted image.

References:

https://blogs.gentoo.org/ago/2017/01/25/jasper-invalid-memory-read-in-jas_matrix_bindsub-jas_seq-c/
http://www.openwall.com/lists/oss-security/2017/01/25/9

Upstream bug:

https://github.com/mdadams/jasper/issues/113
Comment 1 Andrej Nemec 2017-03-23 14:30:59 UTC 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1434464]
Comment 2 Andrej Nemec 2017-03-23 14:32:07 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1434465]
Comment 3 Andrej Nemec 2017-03-23 14:33:49 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1434467]
Comment 4 Tomas Hoger 2017-03-31 19:45:22 UTC 
Original reporter's advisory:

https://blogs.gentoo.org/ago/2017/01/25/jasper-invalid-memory-read-in-jas_matrix_bindsub-jas_seq-c/

Relevant information from the advisory:

Another round of fuzzing shows that a crafted image causes an invalid memory read.

The complete ASan output:

# imginfo -f $FILE
warning: ignoring unknown marker segment (0xff59)
type = 0xff59 (UNKNOWN); len = 20;00 40 40 00 00 00 00 69 00 00 00 00 00 00 00 00 00 00 warning: ignoring unknown marker segment (0xff46)
type = 0xff46 (UNKNOWN); len = 20;01 40 40 00 00 00 00 00 00 00 00 00 00 00 12 00 94 7f ASAN:DEADLYSIGNAL
=================================================================
==22653==ERROR: AddressSanitizer: SEGV on unknown address 0x60180000ec30 (pc 0x7f410df421b7 bp 0x7ffdc80abaf0 sp 0x7ffdc80aba60 T0)
==22653==The signal is caused by a READ memory access.
    #0 0x7f410df421b6 in jas_matrix_bindsub /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/base/jas_seq.c:254:18
    #1 0x7f410df951a1 in jpc_dec_tileinit /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jpc/jpc_dec.c:835:5
    #2 0x7f410df951a1 in jpc_dec_process_sod /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jpc/jpc_dec.c:594
    #3 0x7f410dfa1853 in jpc_dec_decode /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jpc/jpc_dec.c:425:10
    #4 0x7f410dfa1853 in jpc_decode /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jpc/jpc_dec.c:262
    #5 0x7f410df71231 in jp2_decode /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_dec.c:218:21
    #6 0x7f410df33214 in jas_image_decode /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/base/jas_image.c:444:16
    #7 0x50a3be in main /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/appl/imginfo.c:238:16
    #8 0x7f410d01378f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #9 0x419cd8 in _start (/usr/bin/imginfo+0x419cd8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/base/jas_seq.c:254:18 in jas_matrix_bindsub
==22653==ABORTING

Affected version: 2.0.10

Fixed version: N/A

Commit fix: N/A

Credit: This bug was discovered by Agostino Sarubbo of Gentoo.

CVE: CVE-2017-6851

Reproducer:
https://github.com/asarubbo/poc/blob/master/00125-jasper-invalidread-jas_matrix_bindsub
Comment 5 Tomas Hoger 2017-03-31 19:47:17 UTC 
This issue has not been fixed upstream yet and affects the latest released version 2.0.12.  The first version which which this can be reproducer is 1.900.25.