Red Hat Bugzilla – Bug 1434458
CVE-2017-6850 jasper: uninitialized pointer use in jp2_cdef_destroy()
Last modified: 2017-07-19 11:22:37 EDT
Null pointer dereference vulnerability in jp2_cdef_destroy was found. Upstream bug: https://github.com/mdadams/jasper/issues/112 Upstream patch: https://github.com/mdadams/jasper/commit/e96fc4fdd525fa0ede28074a7e2b1caf94b58b0d Reference: http://seclists.org/oss-sec/2017/q1/191
Created jasper tracking bugs for this issue: Affects: epel-5 [bug 1434466] Affects: fedora-all [bug 1434464] Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1434465] Affects: fedora-all [bug 1434467]
The problem here was that the jp2_box_get() function, unlike jp2_box_create(), did not properly initialize members of the jp2_box_t structure after allocating it. If some error occurred while reading data from the file before the structure was fully initialized causing jasper to call jp2_box_destroy(). While destroying the structure, and uninitialized pointer could be used or freed (e.g. in the jp2_cdef_destroy() function). This issue did not affect the versions of jasper as shipped in Red Hat Enterprise Linux, as they used jas_calloc() instead of jas_malloc() to allocate jp2_box_t in jp2_box_get() causing it to be initialized. This fix was included as part of the fix for CVE-2008-3520 (see bug 461476).
There's no released upstream version including the fix, but as the latest released is 2.0.12, and the fix is already committed, the next version - presumably 2.0.13 - should contain it.
Original reporter's advisory: https://blogs.gentoo.org/ago/2017/01/25/jasper-null-pointer-dereference-in-jp2_cdef_destroy-jp2_cod-c/ Relevant information from the advisory: Another round of fuzzing shows that a crafted image causes a NULL pointer access. The complete ASan output: # imginfo -f $FILE cannot parse box data ASAN:DEADLYSIGNAL ================================================================= ==6697==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041da35 bp 0xbebebebebebebeae sp 0x7fff60ad6480 T0) #0 0x41da34 in atomic_compare_exchange_strong /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 #1 0x41da34 in __asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:468 #2 0x41da34 in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:522 #3 0x41da34 in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:725 #4 0x4d271c in free /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:50 #5 0x7f86ef11c995 in jp2_cdef_destroy /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:230:3 #6 0x7f86ef11e18e in jp2_box_destroy /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:212:3 #7 0x7f86ef11e18e in jp2_box_get /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:319 #8 0x7f86ef1219f6 in jp2_decode /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_dec.c:159:16 #9 0x7f86ef0e4214 in jas_image_decode /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/base/jas_image.c:444:16 #10 0x50a3be in main /tmp/portage/media-libs/jasper-2.0.10/work/jasper-2.0.10/src/appl/imginfo.c:238:16 #11 0x7f86ee1c478f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #12 0x419cd8 in _start (/usr/bin/imginfo+0x419cd8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in atomic_compare_exchange_strong ==6697==ABORTING Affected version: 2.0.10 Fixed version: 2.0.13 (not released atm) Commit fix: https://github.com/mdadams/jasper/commit/e96fc4fdd525fa0ede28074a7e2b1caf94b58b0d Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: CVE-2017-6850 Reproducer: https://github.com/asarubbo/poc/blob/master/00124-jasper-nullptr-jp2_cdef_destroy
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1434464]