Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1393882 - (CVE-2016-9262) CVE-2016-9262 jasper: integer truncation in jas_image_cmpt_create()
CVE-2016-9262 jasper: integer truncation in jas_image_cmpt_create()
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20161106,repor...
: Security
Depends On: 1393883 1393884 1393885 1393887 1439171 1439172 1439173 1439174
Blocks: 1314477
  Show dependency treegraph
 
Reported: 2016-11-10 09:33 EST by Adam Mariš
Modified: 2017-05-09 17:44 EDT (History)
29 users (show)

See Also:
Fixed In Version: jasper 1.900.22
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-09 17:44:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1208 normal SHIPPED_LIVE Important: jasper security update 2017-05-09 17:13:57 EDT

  None (edit)
Description Adam Mariš 2016-11-10 09:33:29 EST
A number of overflows were found in jasper causing use after free vulnerability triggeerd by creafted image.

Upstream patch:

https://github.com/mdadams/jasper/commit/634ce8e8a5accc0fa05dd2c20d42b4749d4b2735

Reproducer:

https://github.com/asarubbo/poc/blob/master/00028-jasper-uaf-jas_realloc

CVE assignment:

http://seclists.org/oss-sec/2016/q4/385
Comment 1 Adam Mariš 2016-11-10 09:34:42 EST
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1393884]
Affects: epel-7 [bug 1393887]
Comment 2 Adam Mariš 2016-11-10 09:35:01 EST
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1393883]
Affects: epel-5 [bug 1393885]
Comment 3 Tomas Hoger 2017-03-29 09:25:14 EDT
Upstream bug report:

https://github.com/mdadams/jasper/issues/74

Original reporter's advisory:

https://blogs.gentoo.org/ago/2016/11/07/jasper-use-after-free-in-jas_realloc-jas_malloc-c/

Relevant info from the advisory:

A crafted image, maybe posted in the past as testcase for another bug, causes in the 1.900.18 version a use-after-free. No fuzzers involved at this time.

The complete ASan output:

# imginfo -f $FILE
Corrupt JPEG data: 19 extraneous bytes before marker 0xda                                                                                                                                                                                                                      
=================================================================                                                                                                                                                                                                              
==21990==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000009b80 at pc 0x7fce4229d29d bp 0x7fffab22f9a0 sp 0x7fffab22f998                                                                                                                                       
READ of size 8 at 0x619000009b80 thread T0                                                                                                                                                                                                                                     
    #0 0x7fce4229d29c in jas_realloc /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:182:21                                                                                                                                       
    #1 0x7fce422a5e38 in mem_resize /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:1001:14                                                                                                                                       
    #2 0x7fce422a5e38 in mem_write /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:1027                                                                                                                                           
    #3 0x7fce422a30e5 in jas_stream_flushbuf /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:822:7                                                                                                                                
    #4 0x7fce422a4b4c in jas_stream_flush /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:752:9                                                                                                                                   
    #5 0x7fce422a4b4c in jas_stream_seek /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:659                                                                                                                                      
    #6 0x7fce42273928 in jas_image_cmpt_create /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_image.c:351:4                                                                                                                               
    #7 0x7fce42276986 in jas_image_addcmpt /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_image.c:723:18                                                                                                                                  
    #8 0x7fce4233e3fc in jpg_mkimage /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/jpg/jpg_dec.c:268:7                                                                                                                                            
    #9 0x7fce4233e3fc in jpg_decode /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/jpg/jpg_dec.c:183                                                                                                                                               
    #10 0x7fce422749bd in jas_image_decode /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_image.c:396:16                                                                                                                                  
    #11 0x4f1330 in main /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/appl/imginfo.c:203:16                                                                                                                                                                
    #12 0x7fce4138961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                       
    #13 0x418cb8 in _init (/usr/bin/imginfo+0x418cb8)                                                                                                                                                                                                                          
                                                                                                                                                                                                                                                                               
0x619000009b80 is located 0 bytes inside of 1056-byte region [0x619000009b80,0x619000009fa0)                                                                                                                                                                                   
freed by thread T0 here:                                                                                                                                                                                                                                                       
    #0 0x4bff00 in free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38                                                                                                                                     
    #1 0x7fce4229d359 in jas_free /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:225:3                                                                                                                                           
                                                                                                                                                                                                                                                                               
previously allocated by thread T0 here:                                                                                                                                                                                                                                        
    #0 0x4c0208 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52                                                                                                                                   
    #1 0x7fce4229d0b2 in jas_malloc /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:148:13                                                                                                                                        
                                                                                                                                                                                                                                                                               
SUMMARY: AddressSanitizer: heap-use-after-free /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:182:21 in jas_realloc                                                                                                              
Shadow bytes around the buggy address:                                                                                                                                                                                                                                         
  0x0c327fff9320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c327fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c327fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c327fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c327fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
=>0x0c327fff9370:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd                                                                                                                                                                                                              
  0x0c327fff9380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd                                                                                                                                                                                                              
  0x0c327fff9390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd                                                                                                                                                                                                              
  0x0c327fff93a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd                                                                                                                                                                                                              
  0x0c327fff93b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd                                                                                                                                                                                                              
  0x0c327fff93c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd                                                                                                                                                                                                              
Shadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                                                                                                           
  Addressable:           00                                                                                                                                                                                                                                                    
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21990==ABORTING

Affected version: 1.900.18

Fixed version: 1.900.22

Commit fix:
https://github.com/mdadams/jasper/commit/634ce8e8a5accc0fa05dd2c20d42b4749d4b2735
Comment 4 Tomas Hoger 2017-03-29 09:32:35 EDT
This is one of the problems that were already discussed as part of CVE-2015-5203, see bug 1254242 comment 11.  There was an integer overflow problem in the jas_image_cmpt_create() function.  Earlier patches ensured that the result of the multiplication can fit into size_t type, but later passed the value to the jas_stream_memopen() function, which size with the type of int.  This integer truncation could lead to bypass of the original integer overflow fix.
Comment 7 errata-xmlrpc 2017-05-09 13:18:25 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208

Note You need to log in before you can comment on or make changes to this bug.