Bug 1561699 (CVE-2018-9055)

Summary: CVE-2018-9055 jasper: reachable assertion in jpc_firstone() in jpc_math.c
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bmcclain, cfergeau, eedri, erik-fedora, jpopelka, jridky, lsurette, mgoldboi, michal.skrivanek, mike, rh-spice-bugs, rjones, sherold, srevivo, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jasper 2.0.17 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 19:59:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1561700, 1561701, 1561702, 1563977, 1563978, 1563979    
Bug Blocks: 1561703    

Description Laura Pardo 2018-03-28 17:41:01 UTC 
JasPer 2.0.14 allows denial of service via a reachable assertion in the function jpc_firstone in libjasper/jpc/jpc_math.c which could lead to a denial of service attack.


References:
https://github.com/mdadams/jasper/issues/172
Comment 1 Laura Pardo 2018-03-28 17:41:46 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1561702]


Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1561700]


Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1561701]
Comment 2 Doran Moppert 2018-04-05 06:21:02 UTC 
The vulnerability was introduced just prior to 1.900.19, with the conversion of some local variables from `int` to `jpc_fix_t`, which can be larger than 32 bits.
Comment 3 Doran Moppert 2018-04-05 06:34:43 UTC 
In reply to comment 2:
> The vulnerability was introduced just prior to 1.900.19,

Correction:  the particular instance of the vulnerability shown in the upstream report's stack trace was introduced in this version.  jpc_firstone() is used quite widely in the code base, and other conversions to jpc_fix_t (eg in jpc/jpc_enc.c) using data from the input file could trigger the same assertion.  Applying the upstream patch which converts jpc_firstone(int) to jpc_firstone(int_fast32_t) corrects all of these cases.
Comment 4 Doran Moppert 2018-04-05 06:42:16 UTC 
Statement:

The following products are now in Extended Life Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates of these products.
* Red Hat Enterprise Linux 5
* Red Hat Enterprise Virtualization 3
For additional information, please refer to the Life Cycle and Update Policies:  https://access.redhat.com/support/policy/update_policies/
Comment 6 Tomas Hoger 2018-05-29 14:14:30 UTC 
This issue affects the latest released jasper 2.0.14, and not fix has been applied upstream, even though reporter already closed the upstream bug.

This assertion is triggered during image encoding, e.g. when converting a specially-crafted image to a different format using jasper.  This lowers impact of this issue.
Comment 8 Tomas Hoger 2020-12-10 21:21:55 UTC 
Upstream commit:

https://github.com/jasper-software/jasper/commit/e6c8d5a838b49f94616be14753aa5c89d64605b5

The issue was fixed upstream in jasper 2.0.17.