Bug 1255710 - (CVE-2015-5221) CVE-2015-5221 jasper: use-after-free and double-free flaws in mif_process_cmpt()
CVE-2015-5221 jasper: use-after-free and double-free flaws in mif_process_cmpt()
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150820,repor...
: Security
Depends On: 1439172 1255714 1255715 1255716 1255717 1260926 1439171 1439173 1439174
Blocks: 1254249 1314477
  Show dependency treegraph
 
Reported: 2015-08-21 07:40 EDT by Adam Mariš
Modified: 2017-07-20 07:32 EDT (History)
17 users (show)

See Also:
Fixed In Version: jasper 1.900.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-09 17:42:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-08-21 07:40:26 EDT
A use-after-free which leads to double-free vulnerability was found in Jasper JPEG-2000 library, in src/libjasper/mif/mif_cod.c file.

    553                 case MIF_HSAMP:
    554                         cmpt->sampperx = atoi(jas_tvparser_getval(tvp));
    555                         break;
    556                 case MIF_VSAMP:
    557                         cmpt->samppery = atoi(jas_tvparser_getval(tvp));
    558                         break;

    572         jas_tvparser_destroy(tvp);
    573         if (!cmpt->sampperx || !cmpt->samppery) {
    574                 goto error;
    575         }
    576         if (mif_hdr_addcmpt(hdr, hdr->numcmpts, cmpt)) {
    577                 goto error;
    578         }
    579         return 0;
    580
    581 error:
    582         if (cmpt) {
    583                 mif_cmpt_destroy(cmpt);
    584         }
    585         if (tvp) {
    586                 jas_tvparser_destroy(tvp);
    587         }
    588         return -1;

Both tvp and tvp->buf are freed by jas_tvparser_destroy(tvp), but if one of the two following branch conditions is taken, a second call to jas_tvparser_destroy(tvp) occurs. It is a use-after-free because before calling free in jas_tvparser_destroy there is a check to tvp->buf, while tvp could have been freed. Two double free take place just after this check (on tvp->buf and tvp).

Public via:

http://seclists.org/oss-sec/2015/q3/408

Acknowledgements:

Name: Josselin Feist
Comment 1 Adam Mariš 2015-08-21 07:47:03 EDT
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1255715]
Comment 2 Adam Mariš 2015-08-21 07:47:06 EDT
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1255714]
Comment 3 Adam Mariš 2015-08-21 07:47:44 EDT
Created jasper tracking bugs for this issue:

Affects: epel-5 [bug 1255716]
Comment 4 Adam Mariš 2015-08-21 07:48:03 EDT
Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1255717]
Comment 7 Fedora Update System 2016-08-15 17:21:38 EDT
jasper-1.900.1-33.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-09-09 17:51:51 EDT
jasper-1.900.1-33.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Tomas Hoger 2016-11-23 16:41:02 EST
Fixed in jasper 1.900.2:

https://github.com/mdadams/jasper/commit/df5d2867e8004e51e18b89865bc4aa69229227b3
Comment 13 errata-xmlrpc 2017-05-09 13:15:38 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208

Note You need to log in before you can comment on or make changes to this bug.