Red Hat Bugzilla – Bug 1416063
CVE-2017-5500 jasper: Invalid exponent shift in jpc_calcabsstepsize() in jpc_dec.c
Last modified: 2017-05-09 17:35:21 EDT
A vulnerability was found in jasper. A crafted file could cause a crash via invalid exponent shift. References: http://seclists.org/oss-sec/2017/q1/101
Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1406409]
Created jasper tracking bugs for this issue: Affects: epel-5 [bug 1406406]
Upstream bug report: https://github.com/mdadams/jasper/issues/64 This issue has not been resolved upstream yet (the current upstream version is 2.0.12). Reporter's advisory: https://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/ Relevant information from the advisory: With the undefined behavior sanitizer enabled, jasper crashes showing some left shift and some signed integer overflow. ... Affected version / Tested on: 1.900.17 Fixed version: N/A Commit fix: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00019-jasper-leftshift-jpc_dec_c Relevant part of the stacktrace: # imginfo -f $FILE /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1819:40: runtime error: shift exponent 117 is too large for 64-bit type 'jpc_fix_t' (aka 'long') CVE: CVE-2017-5500
The important information form the advisory is that this crash only occurs when jasper is compiles with undefined behaviour sanitizer (ubsan) enabled. That is a development tool aimed to identify possible code bugs related to undefined behaviour. There is no crash as described by this CVE in builds not using ubsan.