Bug 1488961 (CVE-2017-13748) - CVE-2017-13748 jasper: tile memory not released on image parsing errors
Summary: CVE-2017-13748 jasper: tile memory not released on image parsing errors
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-13748
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1434464 1434465 1434467 1485287 1910583
Blocks: 1449402
TreeView+ depends on / blocked
 
Reported: 2017-09-06 13:57 UTC by Andrej Nemec
Modified: 2021-01-18 06:27 UTC (History)
15 users (show)

Fixed In Version: jasper 2.0.17
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-18 06:27:53 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2017-09-06 13:57:58 UTC
There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a denial of service attack.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1485287

Comment 1 Andrej Nemec 2017-09-06 14:07:29 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1434464]


Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1434465]
Affects: fedora-all [bug 1434467]

Comment 2 Tomas Hoger 2017-12-07 14:08:44 UTC
Reported upstream now via:

https://github.com/mdadams/jasper/issues/168

There is no bug in jas_strdup() as originally claimed, and only a fairly minor issue in the imginfo tool related to jas_strdup(), as the tool does not de-init Jasper library properly on errors.  That does not really matter, as the program exits immediately.

The real problem seems to be a lack of proper release of memory used to store image tile data when image decoding fails.  There's also an open merge request upstream that aims to address this problem by calling jpc_dec_tilefini() from jpc_dec_destroy():

https://github.com/mdadams/jasper/pull/159

However, the problem remains unfixed in the current upstream version 2.0.14.

Comment 5 Tomas Hoger 2020-12-28 21:24:48 UTC
Upstream commit:

https://github.com/jasper-software/jasper/commit/c4d3456d4e3f071ab7b3323422282e880a6b10ca

The issue was fixed upstream in jasper 2.0.17.

Comment 6 Product Security DevOps Team 2021-01-18 06:27:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-13748


Note You need to log in before you can comment on or make changes to this bug.