Red Hat Bugzilla – Bug 1561699
CVE-2018-9055 jasper: reachable assertion in jpc_firstone() in jpc_math.c
Last modified: 2018-07-18 11:53:35 EDT
JasPer 2.0.14 allows denial of service via a reachable assertion in the function jpc_firstone in libjasper/jpc/jpc_math.c which could lead to a denial of service attack. References: https://github.com/mdadams/jasper/issues/172
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1561702] Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1561700] Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1561701]
The vulnerability was introduced just prior to 1.900.19, with the conversion of some local variables from `int` to `jpc_fix_t`, which can be larger than 32 bits.
In reply to comment 2: > The vulnerability was introduced just prior to 1.900.19, Correction: the particular instance of the vulnerability shown in the upstream report's stack trace was introduced in this version. jpc_firstone() is used quite widely in the code base, and other conversions to jpc_fix_t (eg in jpc/jpc_enc.c) using data from the input file could trigger the same assertion. Applying the upstream patch which converts jpc_firstone(int) to jpc_firstone(int_fast32_t) corrects all of these cases.
Statement: The following products are now in Extended Life Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates of these products. * Red Hat Enterprise Linux 5 * Red Hat Enterprise Virtualization 3 For additional information, please refer to the Life Cycle and Update Policies: https://access.redhat.com/support/policy/update_policies/
This issue affects the latest released jasper 2.0.14, and not fix has been applied upstream, even though reporter already closed the upstream bug. This assertion is triggered during image encoding, e.g. when converting a specially-crafted image to a different format using jasper. This lowers impact of this issue.