A double free vulnerability was found in mem_close in jas_stream.c triggered by invoking imginfo command on specially crafted image file. CVE assignment: http://www.openwall.com/lists/oss-security/2016/10/16/14
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1385517] Affects: epel-7 [bug 1385519]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1385516] Affects: epel-5 [bug 1385518]
Original reporter's advisory: https://blogs.gentoo.org/ago/2016/10/16/jasper-double-free-in-mem_close-jas_stream-c/ Relevant info from the advisory: A fuzzing revealed a double-free in mem_close. # imginfo -f $FILE Corrupt JPEG data: 1 extraneous bytes before marker 0xc4 ================================================================= ==31536==ERROR: AddressSanitizer: attempting double-free on 0x619000003780 in thread T0: #0 0x4bfe10 in __interceptor_free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38 #1 0x7f15e7385450 in mem_close /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:1079:3 #2 0x7f15e737ffcb in jas_stream_close /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:466:2 #3 0x7f15e7353b71 in jas_image_cmpt_destroy /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:343:3 #4 0x7f15e7353b71 in jas_image_cmpt_create /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:333 #5 0x7f15e7356977 in jas_image_addcmpt /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:677:18 #6 0x7f15e741bd7c in jpg_mkimage /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:247:7 #7 0x7f15e741bd7c in jpg_decode /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:171 #8 0x7f15e7354c8a in jas_image_decode /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:372:16 #9 0x4f11bd in main /tmp/jasper-version-1.900.4/src/appl/imginfo.c:179:16 #10 0x7f15e646c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #11 0x418bc8 in _start (/tmp/jasper-version-1.900.4/src/appl/.libs/imginfo+0x418bc8) 0x619000003780 is located 0 bytes inside of 1024-byte region [0x619000003780,0x619000003b80) freed by thread T0 here: #0 0x4c0498 in realloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71 #1 0x7f15e7385048 in mem_resize /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:995:14 #2 0x7f15e7385048 in mem_write /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:1018 #3 0x7f15e73823a3 in jas_stream_flushbuf /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:819:7 #4 0x7f15e7383e04 in jas_stream_flush /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:749:9 #5 0x7f15e7383e04 in jas_stream_seek /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:656 #6 0x7f15e7353b4a in jas_image_cmpt_create /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:332:4 #7 0x7f15e7356977 in jas_image_addcmpt /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:677:18 #8 0x7f15e741bd7c in jpg_mkimage /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:247:7 #9 0x7f15e741bd7c in jpg_decode /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:171 #10 0x7f15e7354c8a in jas_image_decode /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:372:16 #11 0x4f11bd in main /tmp/jasper-version-1.900.4/src/appl/imginfo.c:179:16 #12 0x7f15e646c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 previously allocated by thread T0 here: #0 0x4c0118 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52 #1 0x7f15e737fb4e in jas_stream_memopen /tmp/jasper-version-1.900.4/src/libjasper/base/jas_stream.c:215:15 #2 0x7f15e735397e in jas_image_cmpt_create /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:322:28 #3 0x7f15e7356977 in jas_image_addcmpt /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:677:18 #4 0x7f15e741bd7c in jpg_mkimage /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:247:7 #5 0x7f15e741bd7c in jpg_decode /tmp/jasper-version-1.900.4/src/libjasper/jpg/jpg_dec.c:171 #6 0x7f15e7354c8a in jas_image_decode /tmp/jasper-version-1.900.4/src/libjasper/base/jas_image.c:372:16 #7 0x4f11bd in main /tmp/jasper-version-1.900.4/src/appl/imginfo.c:179:16 #8 0x7f15e646c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 SUMMARY: AddressSanitizer: double-free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38 in __interceptor_free ==31536==ABORTING There are 2 upstream bug reports with reproducers: https://github.com/mdadams/jasper/issues/25 https://github.com/mdadams/jasper/issues/31 And the issue was fixed in version 1.900.10 via the following commit: https://github.com/mdadams/jasper/commit/44a524e367597af58d6265ae2014468b334d0309 The problem is that mem_resize(), if called with bufsize == 0, was freeing m->buf_, but not setting it to NULL. As error was returned by the function, it led to the second attempt to free the same memory in mem_close(). With the glibc malloc hardening, this issue is unlikely to have worse impact than unexpected application termination.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208