Bug 346501 - (CVE-2007-2721) CVE-2007-2721 jasper: crash in jpc_qcx_getcompparms
CVE-2007-2721 jasper: crash in jpc_qcx_getcompparms
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=internet,reported=20071023,pub...
: Security
Depends On: 240397 346511 472945 472946 472947 472948 501451 530120 554731
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-23 05:05 EDT by Tomas Hoger
Modified: 2016-11-24 05:42 EST (History)
2 users (show)

See Also:
Fixed In Version: jasper 1.900.5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 501451 (view as bug list)
Environment:
Last Closed: 2010-12-22 16:49:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Test files from Debian bug (160.00 KB, application/x-tar)
2008-09-08 11:09 EDT, Tomas Hoger
no flags Details
Patch used by Ubuntu (2.15 KB, patch)
2008-09-08 11:10 EDT, Tomas Hoger
no flags Details | Diff
Patch used by Mandriva (1.41 KB, patch)
2008-09-08 11:11 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2007-10-23 05:05:27 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-2721 to the following vulnerability:

The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files, as originally demonstrated using imagemagick convert.

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413033
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413041
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413041;msg=88
http://www.mandriva.com/security/advisories?name=MDKSA-2007:129
http://www.ubuntu.com/usn/usn-501-1
http://www.securityfocus.com/bid/24052
http://secunia.com/advisories/25287
http://secunia.com/advisories/25703
http://secunia.com/advisories/26516
Comment 1 Tomas Hoger 2007-10-23 05:18:35 EDT
This issue was addressed for Fedora jasper package few months ago:

https://bugzilla.redhat.com/show_bug.cgi?id=240397
https://www.redhat.com/archives/fedora-package-announce/2007-May/msg00077.html


Recently, it was discovered that (GNU) ghostscript contains local copy of jasper
code which is affected by this problem:

https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/153765
http://www.ubuntu.com/usn/usn-501-2

ghostscript patch applied upstream:

http://ghostscript.com/pipermail/gs-cvs/2007-October/007877.html
http://cvs.ghostscript.com/cgi-bin/viewcvs.cgi/ghostscript?rev=8298&view=rev
Comment 2 Tomas Hoger 2007-10-23 05:30:34 EDT
This issue does not affect versions of ghostscript as shipped with Red Hat
Enterprise Linux 2.1, 3, 4 or 5 and Fedora Core 6 and Fedora 7, as they do not
include jasper library.
Comment 4 Rex Dieter 2008-09-05 11:29:10 EDT
Since this was already addressed in fedora (per comment #1) and doesn't affect rhel (comment #2), can this be closed?  (else, I'll likely just remove my CC here)
Comment 5 Tomas Hoger 2008-09-08 11:09:21 EDT
Rex, you're gonna hate me for adding you back here, but you did not give me much time to reply your previous comment ;).

I was recently looking into this issue as well, as the patch that was used in the Fedora jasper packages differs from what was used by other vendors (Mandriva, Ubuntu, but not Debian, it seems) and what got committed to ghostscript CVS.

So this issue starts with Debian bug report here:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413033
and it's libjasper clone:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413041

Those bugs contain couple of files that are relevant for jasper (and cause jasper to crash): broken.jpc, broken.jp2, broken[234].jp2

The patch we have addresses the issue as it is worded in the CVE description, but jasper still crashes on some test files.  Rest of that patch used by others it bit scary though (malloc -> calloc switch), and when applied to jasper in Fedora, seems to cause jasper to enter an infinite loop on at least one of the files (but I still can't seem to find enough time to dig deeper ;( ).

Do you remember where did you get the patch from, or possibly why it does not contain changes used by other vendors?  I'm attaching tar ball with test files and patches.

(Also dropping Tim from CC, as ghostscript now uses system jasper.)
Comment 6 Tomas Hoger 2008-09-08 11:09:59 EDT
Created attachment 316091 [details]
Test files from Debian bug
Comment 7 Tomas Hoger 2008-09-08 11:10:39 EDT
Created attachment 316092 [details]
Patch used by Ubuntu
Comment 8 Tomas Hoger 2008-09-08 11:11:08 EDT
Created attachment 316093 [details]
Patch used by Mandriva
Comment 9 Rex Dieter 2008-09-08 11:25:39 EDT
np, no hate here, thanks for the extra diligence.
Comment 10 Tomas Hoger 2008-09-09 02:50:18 EDT
I did not forget to add smiley, right? ;)

So it's not an infinite loop after all, just the image claims to have some crazy size:

  $ imginfo -f broken.jpc
  jpc 3 203 2097304 8 1277258136

Note to self: output values are:
  fmtname, numcmpts, width, height, depth, (long) jas_image_rawsize(image)

So running ImageMagick's convert (e.g. convert broken.jpc foo.jpg) is likely to blow up when running out of memory.  Running jasper utility to convert to pnm finishes after some time and create 1.2gig output file.  You can test with:

  jasper --input broken.jpc --output /dev/null --output-format pnm

It's not clear whether all that raw data is compressed to 30k .jpc file, or jasper has some issue with EOF handling / detection, though.
Comment 12 Vincent Danen 2010-12-22 16:49:39 EST
This was addressed via:

Red Hat Enterprise Linux version 4 (RHSA-2009:0012)
Red Hat Enterprise Linux version 5 (RHSA-2009:0012)
Comment 13 Tomas Hoger 2016-11-24 05:42:24 EST
Fixed upstream in version 1.900.5:

https://github.com/mdadams/jasper/commit/4031ca321d8cb5798c316ab39c7a5dc88a61fdd7

Note You need to log in before you can comment on or make changes to this bug.