Bug 1664878 (CVE-2018-20570)
| Summary: | CVE-2018-20570 jasper: heap-based buffer over-read in jp2_encode() | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | rh-spice-bugs |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jasper 2.0.17 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was found in Jasper due to a heap-based buffer overflow caused by improper bounds checking in the jp2_encode function within jp2/jp2_enc.c, an attacker could exploit this flaw by persuading a victim to open a specially crafted file, leading to a buffer overflow that could execute arbitrary code on the system or cause the application to crash.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-05-05 10:31:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1664879, 1664880, 1664881 | ||
| Bug Blocks: | 1664868 | ||
|
Description
Laura Pardo
2019-01-09 21:41:59 UTC
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1664879] Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1664881] Affects: fedora-all [bug 1664880] This problem is in the following code in the jp2_encode() function: https://github.com/mdadams/jasper/blob/version-2.0.16/src/libjasper/jp2/jp2_enc.c#L294-L312 There are calls to jas_image_cmpttype() as jas_image_cmpttype(image, 2), where jas_image_cmpttype() is a macro defined as: #define jas_image_cmpttype(image, cmptno) \ ((image)->cmpts_[(cmptno)]->type_) Hence the code attempts to access cmpts_[] array in the image structure as positions 0, 1, and 2. The problem is that the array may not be large enough, it only has size of image->numcmpts_ which may be less than 3 (it is 2 for the reproducer provided in the upstream report). This leads to a short buffer over-read. The value read is used as pointer and dereferenced, leading to invalid (possibly NULL) pointer deference, which is likely to trigger an immediate crash. A possible fix here is to ensure that there are 3 components before performing the relevant checks. I'm not sure if fewer than 3 components should always be handled as error when using RGB or YCBCR color spaces, or if fewer components can be used as long as matching cdef data is also provided. It should be noted that this problem occurs when using the jasper library to convert a specially crafted image into jp2 format. The problem does not affect the most common use case when the library is only used to read images in the JPEG2000 format. The issues remains unfixed in the latest upstream version 2.0.16. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-20570 Upstream commit: https://github.com/jasper-software/jasper/commit/03db7c81f6a8a92d896249bc673877749987fd7a The issue was fixed upstream in jasper 2.0.17. |