Bug 346501 (CVE-2007-2721)

Summary: CVE-2007-2721 jasper: crash in jpc_qcx_getcompparms
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kreilly, rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2721
Whiteboard:
Fixed In Version: jasper 1.900.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 501451 (view as bug list) Environment:
Last Closed: 2010-12-22 21:49:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 240397, 346511, 472945, 472946, 472947, 472948, 501451, 530120, 554731    
Bug Blocks:    
Attachments:
Description Flags
Test files from Debian bug
none
Patch used by Ubuntu
none
Patch used by Mandriva none

Description Tomas Hoger 2007-10-23 09:05:27 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-2721 to the following vulnerability:

The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files, as originally demonstrated using imagemagick convert.

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413033
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413041
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413041;msg=88
http://www.mandriva.com/security/advisories?name=MDKSA-2007:129
http://www.ubuntu.com/usn/usn-501-1
http://www.securityfocus.com/bid/24052
http://secunia.com/advisories/25287
http://secunia.com/advisories/25703
http://secunia.com/advisories/26516
Comment 1 Tomas Hoger 2007-10-23 09:18:35 UTC 
This issue was addressed for Fedora jasper package few months ago:

https://bugzilla.redhat.com/show_bug.cgi?id=240397
https://www.redhat.com/archives/fedora-package-announce/2007-May/msg00077.html


Recently, it was discovered that (GNU) ghostscript contains local copy of jasper
code which is affected by this problem:

https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/153765
http://www.ubuntu.com/usn/usn-501-2

ghostscript patch applied upstream:

http://ghostscript.com/pipermail/gs-cvs/2007-October/007877.html
http://cvs.ghostscript.com/cgi-bin/viewcvs.cgi/ghostscript?rev=8298&view=rev
Comment 2 Tomas Hoger 2007-10-23 09:30:34 UTC 
This issue does not affect versions of ghostscript as shipped with Red Hat
Enterprise Linux 2.1, 3, 4 or 5 and Fedora Core 6 and Fedora 7, as they do not
include jasper library.
Comment 4 Rex Dieter 2008-09-05 15:29:10 UTC 
Since this was already addressed in fedora (per comment #1) and doesn't affect rhel (comment #2), can this be closed?  (else, I'll likely just remove my CC here)
Comment 5 Tomas Hoger 2008-09-08 15:09:21 UTC 
Rex, you're gonna hate me for adding you back here, but you did not give me much time to reply your previous comment ;).

I was recently looking into this issue as well, as the patch that was used in the Fedora jasper packages differs from what was used by other vendors (Mandriva, Ubuntu, but not Debian, it seems) and what got committed to ghostscript CVS.

So this issue starts with Debian bug report here:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413033
and it's libjasper clone:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413041

Those bugs contain couple of files that are relevant for jasper (and cause jasper to crash): broken.jpc, broken.jp2, broken[234].jp2

The patch we have addresses the issue as it is worded in the CVE description, but jasper still crashes on some test files.  Rest of that patch used by others it bit scary though (malloc -> calloc switch), and when applied to jasper in Fedora, seems to cause jasper to enter an infinite loop on at least one of the files (but I still can't seem to find enough time to dig deeper ;( ).

Do you remember where did you get the patch from, or possibly why it does not contain changes used by other vendors?  I'm attaching tar ball with test files and patches.

(Also dropping Tim from CC, as ghostscript now uses system jasper.)
Comment 6 Tomas Hoger 2008-09-08 15:09:59 UTC 
Created attachment 316091 [details]
Test files from Debian bug
Comment 7 Tomas Hoger 2008-09-08 15:10:39 UTC 
Created attachment 316092 [details]
Patch used by Ubuntu
Comment 8 Tomas Hoger 2008-09-08 15:11:08 UTC 
Created attachment 316093 [details]
Patch used by Mandriva
Comment 9 Rex Dieter 2008-09-08 15:25:39 UTC 
np, no hate here, thanks for the extra diligence.
Comment 10 Tomas Hoger 2008-09-09 06:50:18 UTC 
I did not forget to add smiley, right? ;)

So it's not an infinite loop after all, just the image claims to have some crazy size:

  $ imginfo -f broken.jpc
  jpc 3 203 2097304 8 1277258136

Note to self: output values are:
  fmtname, numcmpts, width, height, depth, (long) jas_image_rawsize(image)

So running ImageMagick's convert (e.g. convert broken.jpc foo.jpg) is likely to blow up when running out of memory.  Running jasper utility to convert to pnm finishes after some time and create 1.2gig output file.  You can test with:

  jasper --input broken.jpc --output /dev/null --output-format pnm

It's not clear whether all that raw data is compressed to 30k .jpc file, or jasper has some issue with EOF handling / detection, though.
Comment 12 Vincent Danen 2010-12-22 21:49:39 UTC 
This was addressed via:

Red Hat Enterprise Linux version 4 (RHSA-2009:0012)
Red Hat Enterprise Linux version 5 (RHSA-2009:0012)
Comment 13 Tomas Hoger 2016-11-24 10:42:24 UTC 
Fixed upstream in version 1.900.5:

https://github.com/mdadams/jasper/commit/4031ca321d8cb5798c316ab39c7a5dc88a61fdd7