Red Hat Bugzilla – Bug 1173162
CVE-2014-8138 jasper: heap overflow in jp2_decode() (oCERT-2014-012)
Last modified: 2016-11-23 16:43:46 EST
oCERT reports a heap-overflow issue in jp2_decode() in jasper: This code in jas_decode doesn't check for an upper bound on the value of channo: jas_image_setcmpttype(dec->image, dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo], jp2_getct(jas_image_clrspc(dec->image), dec->cdef->data.cdef.ents[i].type, dec->cdef->data.cdef.ents[i].assoc)); This could be used via jas_image_setcmpttype (actually this is just image->cmpts_[cmptno]->type_ = type), to do an arbitrary write since there's no bound check there either. Acknowledgements: Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Jose Duart of the Google Security Team as the original reporter.
Created attachment 967280 [details] Proposed patch This adds channo check directly to jp2_decode(). An alternative would be to do check earlier in jp2_cdef_getdata(). However, as jp2_decode() does other similar sanity checks, it seems more consistent to add the check there as well.
Comment on attachment 967280 [details] Proposed patch Patch looks good to me.
Public now via oCERT-2014-012 advisory. External References: http://www.ocert.org/advisories/ocert-2014-012.html
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1175762] Affects: epel-7 [bug 1175764]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1175761] Affects: epel-5 [bug 1175763]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2014:2021 https://rhn.redhat.com/errata/RHSA-2014-2021.html
mingw-jasper-1.900.1-25.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
mingw-jasper-1.900.1-25.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mingw-jasper-1.900.1-25.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mingw-jasper-1.900.1-25.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-27.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-26.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-29.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: RHEV Manager version 3.5 Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html
jasper-1.900.1-15.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: RHEV-H and Agents for RHEL-6 RHEV-H and Agents for RHEL-7 Via RHSA-2015:1713 https://rhn.redhat.com/errata/RHSA-2015-1713.html
Fix was integrated upstream in version 1.900.2: https://github.com/mdadams/jasper/commit/c54113d6fa49f8f26d1572e972b806276c5b05d5