Bug 1396959 (CVE-2016-9387) - CVE-2016-9387 jasper: integer overflow in jpc_dec_process_siz()
Summary: CVE-2016-9387 jasper: integer overflow in jpc_dec_process_siz()
Status: CLOSED ERRATA
Alias: CVE-2016-9387
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20161023,reported=2...
Keywords: Reopened, Security
Depends On: 1396986 1396987 1396988 1396989 1439171 1439172 1439173 1439174
Blocks: 1314477
TreeView+ depends on / blocked
 
Reported: 2016-11-21 09:43 UTC by Adam Mariš
Modified: 2019-04-28 13:07 UTC (History)
27 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-05-09 21:40:41 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1208 normal SHIPPED_LIVE Important: jasper security update 2017-05-09 21:13:57 UTC

Description Adam Mariš 2016-11-21 09:43:05 UTC
An integer overflow in jpc_dec_process_siz was found that can be triggered by crafted image file when given as input to imginfo

Upstream patch:

https://github.com/mdadams/jasper/commit/d91198abd00fc435a397fe6bad906a4c1748e9cf

CVE assignment:

http://seclists.org/oss-sec/2016/q4/441

Comment 1 Adam Mariš 2016-11-21 10:30:59 UTC
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1396987]
Affects: epel-7 [bug 1396989]

Comment 2 Adam Mariš 2016-11-21 10:31:19 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1396986]
Affects: epel-5 [bug 1396988]

Comment 3 Tomas Hoger 2017-03-02 22:06:19 UTC
This issue was originally reported as an assertion failure.  Upstream bug report is:

https://github.com/mdadams/jasper/issues/49

The fix for integer overflow problem in jpc_dec_process_siz() did not directly address the problem, but it did have a side effect of preventing the assertion failure with the original reproducer.

The original issue reporter was able to trigger the same assertion failure even after this fix using different reproducer.  That was reported upstream in:

https://github.com/mdadams/jasper/issues/53

This got a separate CVE-2016-9390 (see bug 1396965).

The integer overflow check added in d91198a was also incomplete - it ensured that the product of dec->numhtiles * dec->numvtiles can fit into size_t type, but later assigned the value to dec->numtiles having a type of int.  Assignment form size_t to int can truncate the value, allowing integer overflow to happen.  This problem was reported upstream in:

https://github.com/mdadams/jasper/issues/119

and fixed in:

https://github.com/mdadams/jasper/commit/a712a2041085e7cd5f2b153e1532ac2a2954ffaa


As previously noted, this integer overflow fix was not a proper fix for the original reported issue.  However, it could be an issue of its own, as similar integer overflows prior to memory allocation often lead to heap-based buffer overflows later.  That's not the case here, as the allocated dec->tiles[] array is not accessed beyond the (mis-computed) dec->numtiles.

As the problem of integer overflow in jpc_dec_process_siz() does not seem to have any security impact, it's not currently planned to be addressed in jasper packages in Red Hat Enterprise Linux 6 and 7.

Comment 4 Tomas Hoger 2017-03-02 22:10:10 UTC
Original reporter's advisory:

https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure/

Relevant info from the advisory:

Affected version:
1.900.12

Output/failure:
imginfo: /tmp/portage/media-libs/jasper-1.900.12/work/jasper-1.900.12/src/libjasper/base/jas_seq.c:90: jas_matrix<= yend' failed.

Commit fix:
https://github.com/mdadams/jasper/commit/d91198abd00fc435a397fe6bad906a4c1748e9cf

Fixed version:
1.900.13

Testcase:
https://github.com/asarubbo/poc/blob/master/00003-jasper-assert-jas_matrix_t

CVE:
CVE-2016-9387

Comment 6 Tomas Hoger 2017-03-31 20:34:31 UTC
Re-considering inclusion for easier future testing.

Comment 8 errata-xmlrpc 2017-05-09 17:18:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208


Note You need to log in before you can comment on or make changes to this bug.