Divide by zero vulnerability was found in jpc_dec_process_siz triggered by invoking imginfo command on specially crafted file. Upstream patch: https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020 CVE assignment: http://www.openwall.com/lists/oss-security/2016/10/16/14
Please, don't make changes to flaw bugs! These should be modified only by members of Product Security. Tracking bugs for Fedora will be created soon. Thanks!
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1385517] Affects: epel-7 [bug 1385519]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1385516] Affects: epel-5 [bug 1385518]
There are two related issues, that got separate CVEs assigned - CVE-2016-8691 and CVE-2016-8692 - even though they should have got a single CVE based on Mitre CVE assignment rules. They have also been addressed via the same upstream commit. Merging the tracking of both CVEs to single bug. Prior to the patch, the jpc_siz_getparms() function failed to sanity check values of XRsiz and YRsiz fields of SIZ marker segment. That could lead to an attempt to perform division by 0, and hence unexpected program termination, inside jpc_dec_process_siz() function. Both issues are covered by this advisory from the original reporter: https://blogs.gentoo.org/ago/2016/10/16/jasper-two-divide-by-zero-in-jpc_dec_process_siz-jpc_dec-c/ CVE-2016-8691 is for the missing check of XRsiz value Upstream bug report: https://github.com/mdadams/jasper/issues/22 Details from the original reporter's advisory: # imginfo -f $FILE warning: trailing garbage in marker segment (2 bytes) ASAN:DEADLYSIGNAL ================================================================= ==31103==ERROR: AddressSanitizer: FPE on unknown address 0x7f5b9237e7df (pc 0x7f5b9237e7df bp 0x7fff3818a0c0 sp 0x7fff38189fa0 T0) #0 0x7f5b9237e7de in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17 #1 0x7f5b923842b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10 #2 0x7f5b923842b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254 #3 0x7f5b92327a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16 #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16 #5 0x7f5b9143f61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17 in jpc_dec_process_siz ==31103==ABORTING CVE-2016-8692 is for the missing check of YRsiz value Upstream bug report: https://github.com/mdadams/jasper/issues/23 Details from the original reporter's advisory: # imginfo -f $FILE warning: trailing garbage in marker segment (5 bytes) ASAN:DEADLYSIGNAL ================================================================= ==24077==ERROR: AddressSanitizer: FPE on unknown address 0x7f78c36f9822 (pc 0x7f78c36f9822 bp 0x7ffe2bff10c0 sp 0x7ffe2bff0fa0 T0) #0 0x7f78c36f9821 in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18 #1 0x7f78c36ff2b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10 #2 0x7f78c36ff2b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254 #3 0x7f78c36a2a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16 #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16 #5 0x7f78c27ba61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18 in jpc_dec_process_siz ==24077==ABORTING
*** Bug 1385503 has been marked as a duplicate of this bug. ***
Impact of this problem is limited to unexpected application termination. There is currently no plan to backport the fix to already released Red Hat Enterprise Linux versions.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208