Bug 461476 (CVE-2008-3520)
| Summary: | CVE-2008-3520 jasper: multiple integer overflows in jas_alloc calls | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | unspecified | CC: | jnovy, kreilly, limingxing, mprpic, rdieter, rjones | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | jasper 1.900.4 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2009-10-28 10:59:18 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 472945, 472946, 472947, 472948, 530305 | ||||||||
| Bug Blocks: | 1167538, 1296949, 1296956 | ||||||||
| Attachments: |
|
||||||||
|
Description
Tomas Hoger
2008-09-08 13:29:29 UTC
Created attachment 316077 [details]
OpenBSD patch
This patch introduces jas_alloc[23] and jas_realloc2 functions and replaces all jas_malloc calls with argument containing multiplication of 2 or 3 values. In multiple cases, such change is not necessary (product is guaranteed not to overflow), and it was not further investigated in which cases overflow is possible and in which it is not possible.
All occurrences were possibly identified with something like:
egrep -r --color 'jas_malloc[[:space:]]*\(.*\*' *
Created attachment 325790 [details] More complete fix for CVE-2008-3520 It seems that the OpenBSD patch misses completely the jpc/jpc_cs.c, where jas_malloc() is used frequently with an argument containing multiplication with sizeof(random_type). I converted the jas_malloc(A * sizeof(unsigned char)) to jas_alloc2() as well to be paranoidly sure it won't ever happen to overflow even on weird platforms where sizeof(char) != 1. Returning back to NEW state. This is just a tracking bug. (In reply to comment #3) > It seems that the OpenBSD patch misses completely the jpc/jpc_cs.c, where > jas_malloc() is used frequently with an argument containing multiplication with > sizeof(random_type). What is the difference between patch comment #1 and comment #1 wrt jpc/jpc_cs.c? The only difference I see is related to this change: > I converted the jas_malloc(A * sizeof(unsigned char)) to jas_alloc2() as well > to be paranoidly sure it won't ever happen to overflow even on weird > platforms where sizeof(char) != 1. so jas_malloc(ppm->len * sizeof(unsigned char)) is changed to: jas_alloc2(ppm->len, sizeof(unsigned char)) rather than: jas_malloc(ppm->len) Ok, my bad. The jpc/jpc_cs.c hunks were lost in rejected patch application while backporting the OpenBSD patch. In any case, it is now fixed. jasper-1.900.1-13.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/jasper-1.900.1-13.fc11 jasper-1.900.1-13.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/jasper-1.900.1-13.fc10 jasper-1.900.1-13.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/jasper-1.900.1-13.el5 jasper-1.900.1-13.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/jasper-1.900.1-13.el4 jasper-1.900.1-13.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. jasper-1.900.1-13.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. jasper-1.900.1-13.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report. jasper-1.900.1-13.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: RHEV Manager version 3.5 Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html *** Bug 1294039 has been marked as a duplicate of this bug. *** *** Bug 1296952 has been marked as a duplicate of this bug. *** *** Bug 1296951 has been marked as a duplicate of this bug. *** *** Bug 1296953 has been marked as a duplicate of this bug. *** *** Bug 1296956 has been marked as a duplicate of this bug. *** *** Bug 1296949 has been marked as a duplicate of this bug. *** The patch was integrated upstream in version 1.900.4: https://github.com/mdadams/jasper/commit/3c55b399c36ef46befcb21e4ebc4799367f89684 |