There is a reachable abort in the function jpc_dec_process_sot in libjasper/jpc/jpc_dec.c of JasPer 2.0.14 that will lead to a remote denial of service attack by triggering an unexpected jas_alloc2 return value, a different vulnerability than CVE-2017-13745. Reference: https://drive.google.com/drive/u/2/folders/1YuxdfbZrw79kfzoQz0PpxIutZ7pkf_kW
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1610136] Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1610138] Affects: fedora-all [bug 1610137]
Reproduced on F28 with jasper-2.0.14-5.fc28.x86_64: # gdb -q jasper Reading symbols from jasper...Reading symbols from /usr/lib/debug/usr/bin/jasper-2.0.14-5.fc28.x86_64.debug...done. done. (gdb) r --input jasper_POC --output-format jp2 Starting program: /usr/bin/jasper --input jasper_POC --output-format jp2 Missing separate debuginfos, use: dnf debuginfo-install glibc-2.27-30.fc28.x86_64 warning: trailing garbage in marker segment (1 bytes) warning: trailing garbage in marker segment (23 bytes) Program received signal SIGABRT, Aborted. 0x00007ffff71f4feb in raise () from /lib64/libc.so.6 Missing separate debuginfos, use: dnf debuginfo-install libjpeg-turbo-1.5.3-6.fc28.x86_64 (gdb) bt #0 0x00007ffff71f4feb in raise () from /lib64/libc.so.6 #1 0x00007ffff71df5c1 in abort () from /lib64/libc.so.6 #2 0x00007ffff7b84c18 in jpc_dec_process_sot (dec=0x55555575f900, ms=0x55555575f9d0) at /usr/src/debug/jasper-2.0.14-5.fc28.x86_64/src/libjasper/jpc/jpc_dec.c:488 #3 0x00007ffff7b9bdc5 in jpc_dec_decode (dec=0x55555575f900) at /usr/src/debug/jasper-2.0.14-5.fc28.x86_64/src/libjasper/jpc/jpc_dec.c:424 #4 jpc_decode (in=<optimized out>, optstr=<optimized out>) at /usr/src/debug/jasper-2.0.14-5.fc28.x86_64/src/libjasper/jpc/jpc_dec.c:261 #5 0x00007ffff7b8c801 in jas_image_decode (in=in@entry=0x55555575b710, fmt=<optimized out>, optstr=0x0) at /usr/src/debug/jasper-2.0.14-5.fc28.x86_64/src/libjasper/base/jas_image.c:442 #6 0x0000555555555aba in main () at /usr/src/debug/jasper-2.0.14-5.fc28.x86_64/src/appl/jasper.c:236 #7 0x00007ffff71e124b in __libc_start_main () from /lib64/libc.so.6 #8 0x0000555555555eca in _start ()
Here are details that are noted for this issue on the Google Drive link in comment 0: Triggered by: ./jasper --input jasper_POC --output-format jp2 Description of problem: There is a reachable abort in function jpc_dec_process_sot of JasPer that will lead to remote denial of service attack. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./jasper --input jasper_POC --output-format jp2 The output information is as follows: ./jasper --input jasper_POC --output-format jp2 warning: trailing garbage in marker segment (1 bytes) warning: trailing garbage in marker segment (23 bytes) Aborted (core dumped) The gdb debugging information: (gdb) set args --input jasper_POC --output-format jp2 (gdb) r Starting program: /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/appl/jasper --input jasper_POC --output-format jp2 warning: trailing garbage in marker segment (1 bytes) warning: trailing garbage in marker segment (23 bytes) (gdb) bt #0 0x00007ffff7674428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1 0x00007ffff767602a in __GI_abort () at abort.c:89 #2 0x00007ffff7af5299 in jpc_dec_process_sot (dec=dec@entry=0x60d6b0, ms=ms@entry=0x60d780) at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/jpc/jpc_dec.c:488 #3 0x00007ffff7aeb8e9 in jpc_dec_decode (dec=0x60d6b0) at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/jpc/jpc_dec.c:424 #4 jpc_decode (in=<optimized out>, optstr=<optimized out>) at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/jpc/jpc_dec.c:261 #5 0x00007ffff7a785a4 in jas_image_decode (in=in@entry=0x6094c0, fmt=<optimized out>, optstr=0x0) at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/libjasper/base/jas_image.c:442 #6 0x0000000000401c35 in main (argc=5, argv=<optimized out>) at /home/afl/software/fuzzing-benchmarks/jasper-2.0.14/src/appl/jasper.c:236 Program received signal SIGABRT, Aborted. 0x00007ffff7674428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. jpc_dec_process_sot in jpc_dec.c if (dec->ppmstab) { /* Convert the PPM marker segment data into a collection of streams (one stream per tile-part). */ if (!(dec->pkthdrstreams = jpc_ppmstabtostreams(dec->ppmstab))) { abort(); } jpc_ppxstab_destroy(dec->ppmstab); dec->ppmstab = 0; }
(In reply to Sam Fowler from comment #0) > There is a reachable abort in the function jpc_dec_process_sot in > libjasper/jpc/jpc_dec.c of JasPer 2.0.14 that will lead to a remote denial > of service attack by triggering an unexpected jas_alloc2 return value, a > different vulnerability than CVE-2017-13745. The above information is not correct. I see no evidence that this is different from CVE-2017-13745. Provided reproducer triggers the same problem that is already covered by CVE-2017-13745. The jpc_dec_process_sot() function calls jpc_ppmstabtostreams() which returns error because of entno becoming equal to tab->numents: https://github.com/mdadams/jasper/blob/version-2.0.14/src/libjasper/jpc/jpc_dec.c#L2375-L2377 When that happens jpc_dec_process_sot() calls abort(): https://github.com/mdadams/jasper/blob/version-2.0.14/src/libjasper/jpc/jpc_dec.c#L514-L516 This is noted as a root cause in the flaw analysis that is provided along the reproducer, see the last part of comment 5 above. However, the CVE description notes "an unexpected jas_alloc2 return value" as being the cause of this new CVE-2018-9154. That seems to be an incorrect analysis of the crash. It refers to the following code earlier in the jpc_dec_process_sot(): https://github.com/mdadams/jasper/blob/version-2.0.14/src/libjasper/jpc/jpc_dec.c#L486-L489 There, jas_alloc2() is called, and abort() is used when error occurs. However, the reproducer does not demonstrate that. The dec->numcomps value for the reproducer is 2, so it does not trigger failure because of integer overflow check, and is unlikely to fail because of out-of-memory condition. However, as the code to handle errors of both jpc_ppmstabtostreams() and jas_alloc2() is the same, optimized builds of jasper use just one copy of the code, so debuggers show that abort() is called after jas_alloc2() failure while it is actually called after jpc_ppmstabtostreams() failure.
Upstream bug report for CVE-2017-13745 is: https://github.com/mdadams/jasper/issues/166
(In reply to Tomas Hoger from comment #6) > However, as the code to handle errors of both jpc_ppmstabtostreams() and > jas_alloc2() is the same, optimized builds of jasper use just one copy of > the code, so debuggers show that abort() is called after jas_alloc2() > failure while it is actually called after jpc_ppmstabtostreams() failure. Here is a gdb backtrace from a build of jasper 2.0.14 with -O2 optimization: #0 0x00007ffff71f6feb in raise () from /lib64/libc.so.6 #1 0x00007ffff71e15c1 in abort () from /lib64/libc.so.6 #2 0x00007ffff7b86b10 in jpc_dec_process_sot (dec=0x6057d0, ms=0x6058a0) at /tmp/jasper-2.0.14-O2/src/libjasper/jpc/jpc_dec.c:488 #3 0x00007ffff7b9ced5 in jpc_dec_decode (dec=0x6057d0) at /tmp/jasper-2.0.14-O2/src/libjasper/jpc/jpc_dec.c:424 #4 jpc_decode (in=<optimized out>, optstr=<optimized out>) at /tmp/jasper-2.0.14-O2/src/libjasper/jpc/jpc_dec.c:261 #5 0x00007ffff7b8e32d in jas_image_decode (in=in@entry=0x6036a0, fmt=<optimized out>, fmt@entry=5, optstr=optstr@entry=0x7fffffffdb80 "") at /tmp/jasper-2.0.14-O2/src/libjasper/base/jas_image.c:442 #6 0x0000000000400f6b in main () at /tmp/jasper-2.0.14-O2/src/appl/imginfo.c:238 #7 0x00007ffff71e324b in __libc_start_main () from /lib64/libc.so.6 #8 0x00000000004011da in _start () jpc_dec.c:488 indicates abort() called after jas_alloc2(). A build with -O0 instead of -O2: #0 0x00007ffff71d8feb in raise () from /lib64/libc.so.6 #1 0x00007ffff71c35c1 in abort () from /lib64/libc.so.6 #2 0x00007ffff7b87ca1 in jpc_dec_process_sot (dec=0x6057d0, ms=0x6058a0) at /tmp/jasper-2.0.14-O0/src/libjasper/jpc/jpc_dec.c:515 #3 0x00007ffff7b87a41 in jpc_dec_decode (dec=0x6057d0) at /tmp/jasper-2.0.14-O0/src/libjasper/jpc/jpc_dec.c:424 #4 0x00007ffff7b87621 in jpc_decode (in=0x6036a0, optstr=0x7fffffffdb30 "") at /tmp/jasper-2.0.14-O0/src/libjasper/jpc/jpc_dec.c:261 #5 0x00007ffff7b724fb in jas_image_decode (in=0x6036a0, fmt=5, optstr=0x7fffffffdb30 "") at /tmp/jasper-2.0.14-O0/src/libjasper/base/jas_image.c:442 #6 0x000000000040115f in main (argc=3, argv=0x7fffffffdd98) at /tmp/jasper-2.0.14-O0/src/appl/imginfo.c:238 jpc_dec.c:515 now correctly indicates abort() after jpc_ppmstabtostreams().
This CVE has now been rejected as duplicate of CVE-2017-13745. *** This bug has been marked as a duplicate of bug 1488958 ***
Statement: This flaw was found to be a duplicate of CVE-2017-13745. Please see https://access.redhat.com/security/cve/CVE-2017-13745 for information about affected products and security errata.
CVE-2017-13745 was fixed upstream in jasper 2.0.17.