Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1179282 - (CVE-2014-8157) CVE-2014-8157 jasper: dec->numtiles off-by-one check in jpc_dec_process_sot() (oCERT-2015-001)
CVE-2014-8157 jasper: dec->numtiles off-by-one check in jpc_dec_process_sot()...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20150121,repo...
: Security
Depends On: 1182812 1183671 1183672 1183673 1183674 1184750 1184751 1184752 1184753
Blocks: 1167538 1179289
  Show dependency treegraph
 
Reported: 2015-01-06 09:29 EST by Vasyl Kaigorodov
Modified: 2016-11-23 16:49 EST (History)
28 users (show)

See Also:
Fixed In Version: jasper 1.900.2
Doc Type: Bug Fix
Doc Text:
An off-by-one flaw, leading to a heap-based buffer overflow, was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-18 09:25:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0074 normal SHIPPED_LIVE Important: jasper security update 2015-01-22 21:13:34 EST
Red Hat Product Errata RHSA-2015:0698 normal SHIPPED_LIVE Important: rhevm-spice-client security, bug fix, and enhancement update 2015-03-18 12:11:47 EDT

  None (edit)
Description Vasyl Kaigorodov 2015-01-06 09:29:24 EST 
oCERT reports an issue in jasper discovered by pyddeh:

"""

jpc_dec.c:1204:

    dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
    dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
    dec->numtiles = dec->numhtiles * dec->numvtiles;
    if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) {
        return -1;
    }

the dec->XXX in JPC_CEILDIV are all directly from the codestream, so
dec->numtiles can be 0. In that case, the minimum-sized chunk returned by
malloc can, depending on the code stream, be used later. I think this can
cause the same problems as a use after free. Fix proposal:

    if ( dec->numtiles == 0 || !(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) {
        return -1;
    }

"""

Acknowledgement:

Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges pyddeh as the original reporter.
Comment 1 Jiri Popelka 2015-01-08 07:24:55 EST 
(In reply to Vasyl Kaigorodov from comment #0)
> Fix proposal:
> 
>     if ( dec->numtiles == 0 || !(dec->tiles = jas_malloc(dec->numtiles *
> sizeof(jpc_dec_tile_t)))) {
>         return -1;
>     }

LGTM
Comment 2 Tomas Hoger 2015-01-09 05:18:47 EST 
While the patch looks harmless, it's unclear to me how it helps as the issue is not clearly identified in the report.  As far as I can see, all dec->tiles[] accesses user dec->numtiles as an upper bound, so there does not seem to be any issue with overflowing under-allocated buffer.  It's unclear where the reported user-after-free-like problem should happen.
Comment 3 Tomas Hoger 2015-01-09 16:00:40 EST 
(In reply to Tomas Hoger from comment #2)
> As far as I can see, all dec->tiles[] accesses user dec->numtiles as an upper
> bound, so there does not seem to be any issue with overflowing under-allocated
> buffer.

The check in jpc_dec_process_sot() is actually off-by-one:

    if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
        jas_eprintf("invalid tile number in SOT marker segment\n");
        return -1;
    }
    /* Set the current tile. */
    dec->curtile = &dec->tiles[sot->tileno];
    tile = dec->curtile;

sot->tileno equal to dec->numtiles already makes dec->tiles[] access outside of the allocated bounds.
Comment 8 Tomas Hoger 2015-01-22 03:36:33 EST 
Public now via oCERT-2015-001.

External References:

http://www.ocert.org/advisories/ocert-2015-001.html
Comment 9 Tomas Hoger 2015-01-22 03:38:37 EST 
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1184751]
Affects: epel-7 [bug 1184753]
Comment 10 Tomas Hoger 2015-01-22 03:38:42 EST 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1184750]
Affects: epel-5 [bug 1184752]
Comment 11 Tomas Hoger 2015-01-22 04:41:12 EST 
Patch that was added to Fedora jasper packages:

http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8157.patch
Comment 12 Ján Rusnačko 2015-01-22 09:48:41 EST 
Statement:

(none)
Comment 13 errata-xmlrpc 2015-01-22 16:14:20 EST 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0074 https://rhn.redhat.com/errata/RHSA-2015-0074.html
Comment 14 Kurt Seifried 2015-01-23 12:14:29 EST 
This issue has been addressed in the following products:

OpenShift Enterprise 2.0, 2.1 and 2.2

Via:

RHBA-2015:0075 https://rhn.redhat.com/errata/RHBA-2015-0075.html
RHBA-2015:0076 https://rhn.redhat.com/errata/RHBA-2015-0076.html
RHBA-2015:0077 https://rhn.redhat.com/errata/RHBA-2015-0077.html
Comment 15 Fedora Update System 2015-02-02 12:21:34 EST 
mingw-jasper-1.900.1-26.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2015-02-02 12:23:24 EST 
mingw-jasper-1.900.1-26.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2015-02-09 00:28:27 EST 
jasper-1.900.1-30.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2015-02-09 00:32:30 EST 
jasper-1.900.1-28.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2015-02-13 21:46:48 EST 
mingw-jasper-1.900.1-26.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 errata-xmlrpc 2015-03-18 08:12:49 EDT 
This issue has been addressed in the following products:

  RHEV Manager version 3.5

Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html
Comment 21 Fedora Update System 2015-05-10 20:52:41 EDT 
jasper-1.900.1-15.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Tomas Hoger 2016-11-23 16:48:33 EST 
Fix was integrated upstream in version 1.900.2:

https://github.com/mdadams/jasper/commit/3fd4067496d8ef70f11841d7492ddeb1f1d56915
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.