Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1434447 - (CVE-2016-10248) CVE-2016-10248 jasper: NULL pointer dereference in jpc_tsfb_synthesize()
CVE-2016-10248 jasper: NULL pointer dereference in jpc_tsfb_synthesize()
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20161020,reported=2...
: Reopened, Security
Depends On: 1434466 1434467 1439171 1439172 1439173 1439174
Blocks: 1314477
  Show dependency treegraph
 
Reported: 2017-03-21 10:11 EDT by Adam Mariš
Modified: 2017-05-09 17:40 EDT (History)
22 users (show)

See Also:
Fixed In Version: jasper 1.900.9
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-09 17:40:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1208 normal SHIPPED_LIVE Important: jasper security update 2017-05-09 17:13:57 EDT

  None (edit)
Description Adam Mariš 2017-03-21 10:11:06 EDT 
Null pointer dereference vulnerability in jpc_tsfb_synthesize was found.

Upstream patch:

https://github.com/mdadams/jasper/commit/2e82fa00466ae525339754bb3ab0a0474a31d4bd

Published on oss-security:

http://seclists.org/oss-sec/2017/q1/606

Reference:

https://blogs.gentoo.org/ago/2016/10/20/jasper-null-pointer-dereference-in-jpc_tsfb_synthesize-jpc_tsfb-c/
Comment 1 Adam Mariš 2017-03-21 10:44:37 EDT 
Created jasper tracking bugs for this issue:

Affects: epel-5 [bug 1434466]


Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1434467]
Comment 2 Tomas Hoger 2017-03-23 17:05:56 EDT 
Upstream bug report:

https://github.com/mdadams/jasper/issues/39

Quoting relevant information form the original reporter's advisory:

https://blogs.gentoo.org/ago/2016/10/20/jasper-null-pointer-dereference-in-jpc_tsfb_synthesize-jpc_tsfb-c/

Another round of fuzzing on an updated version (1.900.5) revealed another NULL pointer access

The complete ASan output:

# imginfo -f $FILE
warning: trailing garbage in marker segment (14 bytes)
warning: not enough tile data (15 bytes)
warning: bad segmentation symbol
warning: bad segmentation symbol
ASAN:DEADLYSIGNAL
=================================================================
==7144==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6d3c37d0b0 bp 0x7ffdc7407a90 sp 0x7ffdc7407a30 T0)
    #0 0x7f6d3c37d0af in jpc_tsfb_synthesize /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_tsfb.c:152:4
    #1 0x7f6d3c2f5140 in jpc_dec_tiledecode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:1068:3
    #2 0x7f6d3c2e5c40 in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:623:7
    #3 0x7f6d3c2ef294 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:390:10
    #4 0x7f6d3c2ef294 in jpc_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:254
    #5 0x7f6d3c2bd061 in jp2_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_dec.c:215:21
    #6 0x7f6d3c24df39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16
    #7 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16
    #8 0x7f6d3b35c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                        
    #9 0x418e68 in _init (/usr/bin/imginfo+0x418e68)                                                                                                                                                                                                                           

AddressSanitizer can not provide additional info.                                                                                                                                                                                                                              
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_tsfb.c:152:4 in jpc_tsfb_synthesize                                                                                                                           
==7144==ABORTING

Affected version: 1.900.5

Fixed version: 1.900.9
Comment 3 Tomas Hoger 2017-03-23 17:07:30 EDT 
The impact of this flaw is limited to application crash.  There is currently no plan to backport the fix to already released Red Hat Enterprise Linux versions.
Comment 5 errata-xmlrpc 2017-05-09 13:21:35 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.