Bug 1488961 – CVE-2017-13748 jasper: tile memory not released on image parsing errors

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1488961 - (CVE-2017-13748) CVE-2017-13748 jasper: tile memory not released on image parsing errors

Summary:	CVE-2017-13748 jasper: tile memory not released on image parsing errors

Status:	NEW

Aliases:	CVE-2017-13748

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20170825,repor...
Keywords:	Security

Depends On:	1434464 1434465 1485287 1434467
Blocks:	1449402
	Show dependency tree / graph

Reported:	2017-09-06 09:57 EDT by Andrej Nemec
Modified:	2018-07-18 11:30 EDT (History)
CC List:	17 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Andrej Nemec 2017-09-06 09:57:58 EDT

There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a denial of service attack.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1485287

Comment 1 Andrej Nemec 2017-09-06 10:07:29 EDT

Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1434464]


Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1434465]
Affects: fedora-all [bug 1434467]

Comment 2 Tomas Hoger 2017-12-07 09:08:44 EST

Reported upstream now via:

https://github.com/mdadams/jasper/issues/168

There is no bug in jas_strdup() as originally claimed, and only a fairly minor issue in the imginfo tool related to jas_strdup(), as the tool does not de-init Jasper library properly on errors.  That does not really matter, as the program exits immediately.

The real problem seems to be a lack of proper release of memory used to store image tile data when image decoding fails.  There's also an open merge request upstream that aims to address this problem by calling jpc_dec_tilefini() from jpc_dec_destroy():

https://github.com/mdadams/jasper/pull/159

However, the problem remains unfixed in the current upstream version 2.0.14.

Note You need to log in before you can comment on or make changes to this bug.