Bug 1488961 (CVE-2017-13748)

Summary: CVE-2017-13748 jasper: tile memory not released on image parsing errors
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmcclain, cfergeau, dblechte, eedri, erik-fedora, jridky, lsurette, mgoldboi, michal.skrivanek, mike, rdieter, rh-spice-bugs, rjones, srevivo, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jasper 2.0.17 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-18 06:27:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1434464, 1434465, 1434467, 1485287, 1910583    
Bug Blocks: 1449402    

Description Andrej Nemec 2017-09-06 13:57:58 UTC 
There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a denial of service attack.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1485287
Comment 1 Andrej Nemec 2017-09-06 14:07:29 UTC 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1434464]


Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1434465]
Affects: fedora-all [bug 1434467]
Comment 2 Tomas Hoger 2017-12-07 14:08:44 UTC 
Reported upstream now via:

https://github.com/mdadams/jasper/issues/168

There is no bug in jas_strdup() as originally claimed, and only a fairly minor issue in the imginfo tool related to jas_strdup(), as the tool does not de-init Jasper library properly on errors.  That does not really matter, as the program exits immediately.

The real problem seems to be a lack of proper release of memory used to store image tile data when image decoding fails.  There's also an open merge request upstream that aims to address this problem by calling jpc_dec_tilefini() from jpc_dec_destroy():

https://github.com/mdadams/jasper/pull/159

However, the problem remains unfixed in the current upstream version 2.0.14.
Comment 5 Tomas Hoger 2020-12-28 21:24:48 UTC 
Upstream commit:

https://github.com/jasper-software/jasper/commit/c4d3456d4e3f071ab7b3323422282e880a6b10ca

The issue was fixed upstream in jasper 2.0.17.
Comment 6 Product Security DevOps Team 2021-01-18 06:27:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-13748