Bug 1565333 (CVE-2018-9252)

Summary: CVE-2018-9252 jasper: reachable assertion in jpc_abstorelstepsize() in jpc_enc.c
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bmcclain, cfergeau, eedri, erik-fedora, jpopelka, jridky, lsurette, mgoldboi, michal.skrivanek, mike, rh-spice-bugs, rjones, sbonazzo, sherold, srevivo, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jasper 2.0.17 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 20:00:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1565334, 1565335, 1565336, 1565337, 1583042    
Bug Blocks: 1565338    

Description Laura Pardo 2018-04-09 20:46:15 UTC
A flaw was found in JasPer 2.0.14 which allows denial of service via a reachable assertion in the function jpc_abstorelstepsize in libjasper/jpc/jpc_enc.c.


Reference:
https://github.com/mdadams/jasper/issues/173

Comment 1 Laura Pardo 2018-04-09 20:46:57 UTC
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1565335]


Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1565334]


Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1565337]

Comment 3 Doran Moppert 2018-05-28 06:51:21 UTC
See also CVE-2018-9055 (bug 1561699), which is another assertion failure in the same call chain, strongly related to this one.

Comment 6 Doran Moppert 2018-05-28 06:55:29 UTC
Statement:

The following products are now in Extended Life Phase of the support and maintenance life cycle.
* Red Hat Enterprise Linux 5
* Red Hat Enterprise Virtualization 3
The following products are now in Maintenance Phase 2 of the support and maintenance life cycle.
* Red Hat Enterprise Linux 6
This issue is not currently planned to be addressed in future updates of these products.
For additional information, please refer to the Life Cycle and Update Policies:  https://access.redhat.com/support/policy/update_policies/

Comment 8 Tomas Hoger 2018-05-29 08:26:26 UTC
This problem is reproducible even in old version such as 1.900.2.  The issue remains unfixed in the latest upstream version 2.0.14.

This assertion is triggered during image encoding, e.g. when converting a specially-crafted image to a different format using jasper.  This lowers impact of this issue.

Comment 11 Tomas Hoger 2020-12-10 21:19:18 UTC
Upstream commit:

https://github.com/jasper-software/jasper/commit/6cd1e1d8aff56d0d86d4e7d1e7e3e4dd1c64b55d

The issue was fixed upstream in jasper 2.0.17.