Bug 1385499 (CVE-2016-8690, CVE-2016-8884, CVE-2016-8885) - CVE-2016-8690 CVE-2016-8884 CVE-2016-8885 jasper: missing jas_matrix_create() parameter checks
Summary: CVE-2016-8690 CVE-2016-8884 CVE-2016-8885 jasper: missing jas_matrix_create()...
Status: CLOSED ERRATA
Alias: CVE-2016-8690, CVE-2016-8884, CVE-2016-8885
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20161015,repor...
Keywords: Security
: 1388831 (view as bug list)
Depends On: 1385516 1385517 1385518 1385519 1439171 1439172 1439173 1439174
Blocks: 1314477
TreeView+ depends on / blocked
 
Reported: 2016-10-17 08:32 UTC by Adam Mariš
Modified: 2019-06-08 21:30 UTC (History)
28 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-05-09 21:43:53 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1208 normal SHIPPED_LIVE Important: jasper security update 2017-05-09 21:13:57 UTC

Description Adam Mariš 2016-10-17 08:32:33 UTC
Null pointer dereference vulnerability was found in bmp_getdata triggered by invoking imginfo command on specially crafted BMP image.

Upstream patch:

https://github.com/mdadams/jasper/commit/8f62b4761711d036fd8964df256b938c809b7fca

CVE assignment:

http://www.openwall.com/lists/oss-security/2016/10/16/14

Comment 1 Adam Mariš 2016-10-17 08:55:04 UTC
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1385517]
Affects: epel-7 [bug 1385519]

Comment 2 Adam Mariš 2016-10-17 08:55:19 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1385516]
Affects: epel-5 [bug 1385518]

Comment 3 Andrej Nemec 2016-10-19 13:01:26 UTC
Upstream patch does not fix this issue according to the reporter:

http://seclists.org/oss-sec/2016/q4/172

Comment 5 Tomas Hoger 2016-11-30 15:21:14 UTC
*** Bug 1388831 has been marked as a duplicate of this bug. ***

Comment 6 Tomas Hoger 2016-11-30 21:45:26 UTC
Here is original reporter's advisory:

https://blogs.gentoo.org/ago/2016/10/16/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c/

It provides to crash stack traces indicating a problem in the BMP decoder:

# imginfo -f $FILE
==26929==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8fc7fd53b5 bp 0x7ffcdf755110 sp 0x7ffcdf754de0 T0)
    #0 0x7f8fc7fd53b4 in bmp_getdata /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:385:5
    #1 0x7f8fc7fd53b4 in bmp_decode /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:190
    #2 0x7f8fc7fa1a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #3 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #4 0x7f8fc70b961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.                        
SUMMARY: AddressSanitizer: SEGV /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:385:5 in bmp_getdata
==26929==ABORTING


# imginfo -f $FILE
==15555==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f02a9c081ee bp 0x7ffd1e22e110 sp 0x7ffd1e22dde0 T0)
    #0 0x7f02a9c081ed in bmp_getdata /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:383:5
    #1 0x7f02a9c081ed in bmp_decode /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:190
    #2 0x7f02a9bd4a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #3 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #4 0x7f02a8cec61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:383:5 in bmp_getdata
==15555==ABORTING


These issues were reported upstream in the following bug reports:

https://github.com/mdadams/jasper/issues/24
https://github.com/mdadams/jasper/issues/21

and addressed in version 1.900.5 via this commit:

https://github.com/mdadams/jasper/commit/8f62b4761711d036fd8964df256b938c809b7fca

A single CVE id CVE-2016-8690 was originally assigned for these issues:

http://seclists.org/oss-sec/2016/q4/155


However, that fix did not address the underlying issue.  The change to the bmp_getint32() function prevented triggering of the problem with originally provided reproducers, but reporter was able to create a different reproducer that does not trigger the problem in versions prior to 1.900.5, but does trigger it in 1.900.5.

The following advisory was published for the incomplete fix:

https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690/

providing the following crash stack traces:

# imginfo -f $FILE
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.
skipping unknown data in BMP file
ASAN:DEADLYSIGNAL
=================================================================
==19659==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f90527a18fe bp 0x7ffcfacc8070 sp 0x7ffcfacc7ee0 T0)
    #0 0x7f90527a18fd in bmp_getdata /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:394:5
    #1 0x7f90527a18fd in bmp_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:201
    #2 0x7f9052748f39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16
    #3 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16
    #4 0x7f905185761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x418e68 in _init (/usr/bin/imginfo+0x418e68)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:394:5 in bmp_getdata
==19659==ABORTING

# imginfo -f $FILE
THE BMP FORMAT IS NOT FULLY SUPPORTED!
THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA.
IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA
TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD.
ASAN:DEADLYSIGNAL
=================================================================
==11248==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f888b2f5a44 bp 0x7ffea5b3b070 sp 0x7ffea5b3aee0 T0)
    #0 0x7f888b2f5a43 in bmp_getdata /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:398:5
    #1 0x7f888b2f5a43 in bmp_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:201
    #2 0x7f888b29cf39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16
    #3 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16
    #4 0x7f888a3ab61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x418e68 in _init (/usr/bin/imginfo+0x418e68)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:398:5 in bmp_getdata
==11248==ABORTING


Upstream bug report for the incomplete fix:

https://github.com/mdadams/jasper/issues/33

addressed in version 1.900.9 via this commit:

https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698

The relevant part of the fix is change to the jas_matrix_create() function to ensure that its numrows and numcols arguments are not negative.  Negative values could cause the created matrix to be initialized into an inconsistent state - with data_ being NULL and datasize_ being non-0 / negative.  That could later lead to dereference of the NULL data_ pointer.  It's likely to be write attempt close to NULL, but can theoretically be further away from NULL and hence accessing writeable memory.  Provided test case that trigger the problem via BMP decoder only trigger a write close to NULL, limiting impact to crash.

Two separate CVE ids CVE-2016-8884 and CVE-2016-8885 were assigned for the incomplete fix, even though the original issue only got single CVE.  Some discussion of that can be found here:

http://seclists.org/oss-sec/2016/q4/221

Comment 7 Tomas Hoger 2016-11-30 21:53:27 UTC
(In reply to Tomas Hoger from comment #6)
 > addressed in version 1.900.9 via this commit:
> 
> https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698

This commit also adds additional sanity checks to bmp_decode(), which do not prevent crashes on the provided reproducers.

Comment 12 errata-xmlrpc 2017-05-09 17:17:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208


Note You need to log in before you can comment on or make changes to this bug.