An assertion failure was possible to trigger in calcstepsizes. CVE assignment: http://seclists.org/oss-sec/2016/q4/441
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1396987] Affects: epel-7 [bug 1396989]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1396986] Affects: epel-5 [bug 1396988]
Upstream bug report: https://github.com/mdadams/jasper/issues/83 Original reporter's advisory: https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure/ Relevant information form the advisory: Affected version: 1.900.22 Output/failure: warning: trailing garbage in marker segment (9 bytes) warning: trailing garbage in marker segment (28 bytes) warning: trailing garbage in marker segment (40 bytes) warning: ignoring unknown marker segment (0xffee) type = 0xffee (UNKNOWN); len = 23;1f 32 ff ff ff 00 10 00 3d 4d 00 01 32 40 e4 e4 00 10 00 00 4f warning: trailing garbage in marker segment (12 bytes) imginfo: /tmp/portage/media-libs/jasper-1.900.22/work/jasper-1.900.22/src/libjasper/jpc/jpc_dec.c:1650: void calcstepsizes(uint_fast16_t, int, uint_fast16_t *): Assertion `!((expn + (numrlvls – 1) – (numrlvls – 1 – ((bandno > 0) ? ((bandno + 2) / 3) : (0)))) & (~0x1f))’ failed. Commit fix: N/A Fixed version: N/A Testcase: https://github.com/asarubbo/poc/blob/master/00044-jasper-assert-calcstepsizes CVE: CVE-2016-9399
Upstream bug is still open and unfixed. The issue is not reproducible in version 1.900.26 and later, as there's limit on maximum number of samples in one image used in those versions. The issue is reproducible in the latest 2.0.12 when no samples limit is used (specified using --max-samples 0 option for jasper command line tools).
Upstream commit: https://github.com/jasper-software/jasper/commit/84d00fb29a22e360c2ff91bdc2cd81c288826bfc The issue was fixed upstream in jasper 2.0.17.
*** Bug 1488964 has been marked as a duplicate of this bug. ***
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2016-9399