Bug 1314466 - (CVE-2016-1577) CVE-2016-1577 jasper: double free issue in jas_iccattrval_destroy()
CVE-2016-1577 jasper: double free issue in jas_iccattrval_destroy()
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160303,repor...
: Security
Depends On: 1439172 1314468 1314469 1314470 1314471 1439171 1439173 1439174
Blocks: 1314477
  Show dependency treegraph
 
Reported: 2016-03-03 11:57 EST by Adam Mariš
Modified: 2017-05-09 17:41 EDT (History)
28 users (show)

See Also:
Fixed In Version: jasper 1.900.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-09 17:41:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-03-03 11:57:46 EST
A double free vulnerability in jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file was found.

Vulnerable code:

src/libjasper/base/jas_icc.c:
258     jas_iccprof_t *jas_iccprof_load(jas_stream_t *in)
259     {
...
294             for (i = 0; i < numtags; ++i) {
295                     tagtabent = &prof->tagtab.ents[i];
296                     if (tagtabent->off == JAS_CAST(jas_iccuint32_t, prevoff)) {
297                             if (prevattrval) {
298                                     if (!(attrval = jas_iccattrval_clone(prevattrval)))
299                                             goto error;
300                                     if (jas_iccprof_setattr(prof, tagtabent->tag, attrval))
301                                             goto error;
302                                     jas_iccattrval_destroy(attrval);
303                             } else {
304     #if 0
305                                     jas_eprintf("warning: skipping unknown tag type\n");
306     #endif
307                             }
308                             continue;
309                     }
310                     reloff = tagtabent->off - curoff;
311                     if (reloff > 0) {
312                             if (jas_stream_gobble(in, reloff) != reloff)
313                                     goto error;
314                             curoff += reloff;
315                     } else if (reloff < 0) {
316                             /* This should never happen since we read the tagged
317                             element data in a single pass. */
318                             abort();
319                     }
320                     prevoff = curoff;
321                     if (jas_iccgetuint32(in, &type)) {
322                             goto error;
323                     }
324                     if (jas_stream_gobble(in, 4) != 4) {
325                             goto error;
326                     }
327                     curoff += 8;
328                     if (!(attrvalinfo = jas_iccattrvalinfo_lookup(type))) {
329     #if 0
330                             jas_eprintf("warning: skipping unknown tag type\n");
331     #endif
332                             prevattrval = 0;
333                             continue;
334                     }
335                     if (!(attrval = jas_iccattrval_create(type))) {
336                             goto error;
337                     }
...
353     error:
354             if (prof)
355                     jas_iccprof_destroy(prof);
356             if (attrval)
357                     jas_iccattrval_destroy(attrval);
358             return 0;
359     }

attrval variable is assigned on line 298 and freed with the call to jas_iccattrval_destroy() on line 302. If the tests on lines 312, 321, or 324 are true, the same pointer will be passed a second time to jas_iccattrval_destroy() on line 357.

Proposed patch:

http://seclists.org/oss-sec/2016/q1/att-507/CVE-2016-1577.patch

Public via:

http://seclists.org/oss-sec/2016/q1/507
Comment 1 Adam Mariš 2016-03-03 11:59:08 EST
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1314469]
Affects: epel-7 [bug 1314471]
Comment 2 Adam Mariš 2016-03-03 11:59:22 EST
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1314468]
Affects: epel-5 [bug 1314470]
Comment 3 Fedora Update System 2016-08-15 17:21:05 EDT
jasper-1.900.1-33.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2016-09-09 17:51:13 EDT
jasper-1.900.1-33.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Tomas Hoger 2016-11-23 16:28:39 EST
The original Ubuntu bug report:

https://bugs.launchpad.net/ubuntu/+source/jasper/+bug/1547865


Upstream commit, applied in version 1.900.2:

https://github.com/mdadams/jasper/commit/74ea22a7a4fe186e0a0124df25e19739b77c4a29
Comment 8 errata-xmlrpc 2017-05-09 13:16:24 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208

Note You need to log in before you can comment on or make changes to this bug.