Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1385502 - (CVE-2016-8691, CVE-2016-8692) CVE-2016-8691 CVE-2016-8692 jasper: missing SIZ marker segment XRsiz and YRsiz fields range check
CVE-2016-8691 CVE-2016-8692 jasper: missing SIZ marker segment XRsiz and YRsi...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20161015,reported=2...
: Security
: 1385503 (view as bug list)
Depends On: 1385516 1385517 1385518 1385519 1439171 1439172 1439173 1439174
Blocks: 1314477
  Show dependency treegraph
 
Reported: 2016-10-17 04:40 EDT by Adam Mariš
Modified: 2017-05-09 17:45 EDT (History)
28 users (show)

See Also:
Fixed In Version: jasper 1.900.4
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-09 17:45:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1208 normal SHIPPED_LIVE Important: jasper security update 2017-05-09 17:13:57 EDT

  None (edit)
Description Adam Mariš 2016-10-17 04:40:25 EDT 
Divide by zero vulnerability was found in jpc_dec_process_siz triggered by invoking imginfo command on specially crafted file.

Upstream patch:

https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020

CVE assignment:

http://www.openwall.com/lists/oss-security/2016/10/16/14
Comment 1 Adam Mariš 2016-10-17 04:49:20 EDT 
Please, don't make changes to flaw bugs! These should be modified only by members of Product Security. Tracking bugs for Fedora will be created soon.

Thanks!
Comment 2 Adam Mariš 2016-10-17 04:55:35 EDT 
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1385517]
Affects: epel-7 [bug 1385519]
Comment 3 Adam Mariš 2016-10-17 04:55:53 EDT 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1385516]
Affects: epel-5 [bug 1385518]
Comment 4 Tomas Hoger 2016-11-30 05:45:43 EST 
There are two related issues, that got separate CVEs assigned - CVE-2016-8691 and CVE-2016-8692 - even though they should have got a single CVE based on Mitre CVE assignment rules.  They have also been addressed via the same upstream commit.  Merging the tracking of both CVEs to single bug.

Prior to the patch, the jpc_siz_getparms() function failed to sanity check values of XRsiz and YRsiz fields of SIZ marker segment.  That could lead to an attempt to perform division by 0, and hence unexpected program termination, inside jpc_dec_process_siz() function.

Both issues are covered by this advisory from the original reporter:

https://blogs.gentoo.org/ago/2016/10/16/jasper-two-divide-by-zero-in-jpc_dec_process_siz-jpc_dec-c/


CVE-2016-8691 is for the missing check of XRsiz value

Upstream bug report:

https://github.com/mdadams/jasper/issues/22

Details from the original reporter's advisory:

# imginfo -f $FILE
warning: trailing garbage in marker segment (2 bytes)
ASAN:DEADLYSIGNAL
=================================================================
==31103==ERROR: AddressSanitizer: FPE on unknown address 0x7f5b9237e7df (pc 0x7f5b9237e7df bp 0x7fff3818a0c0 sp 0x7fff38189fa0 T0)
    #0 0x7f5b9237e7de in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17
    #1 0x7f5b923842b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10
    #2 0x7f5b923842b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254
    #3 0x7f5b92327a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #5 0x7f5b9143f61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17 in jpc_dec_process_siz
==31103==ABORTING


CVE-2016-8692 is for the missing check of YRsiz value

Upstream bug report:

https://github.com/mdadams/jasper/issues/23

Details from the original reporter's advisory:

# imginfo -f $FILE
warning: trailing garbage in marker segment (5 bytes)
ASAN:DEADLYSIGNAL
=================================================================
==24077==ERROR: AddressSanitizer: FPE on unknown address 0x7f78c36f9822 (pc 0x7f78c36f9822 bp 0x7ffe2bff10c0 sp 0x7ffe2bff0fa0 T0)
    #0 0x7f78c36f9821 in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18
    #1 0x7f78c36ff2b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10
    #2 0x7f78c36ff2b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254
    #3 0x7f78c36a2a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #5 0x7f78c27ba61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18 in jpc_dec_process_siz
==24077==ABORTING
Comment 7 Tomas Hoger 2016-11-30 06:34:49 EST 
*** Bug 1385503 has been marked as a duplicate of this bug. ***
Comment 8 Tomas Hoger 2016-11-30 06:36:30 EST 
Impact of this problem is limited to unexpected application termination.  There is currently no plan to backport the fix to already released Red Hat Enterprise Linux versions.
Comment 10 errata-xmlrpc 2017-05-09 13:17:18 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.