Red Hat Bugzilla – Bug 346501
CVE-2007-2721 jasper: crash in jpc_qcx_getcompparms
Last modified: 2016-11-24 05:42:24 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-2721 to the following vulnerability:
The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files, as originally demonstrated using imagemagick convert.
This issue was addressed for Fedora jasper package few months ago:
Recently, it was discovered that (GNU) ghostscript contains local copy of jasper
code which is affected by this problem:
ghostscript patch applied upstream:
This issue does not affect versions of ghostscript as shipped with Red Hat
Enterprise Linux 2.1, 3, 4 or 5 and Fedora Core 6 and Fedora 7, as they do not
include jasper library.
Since this was already addressed in fedora (per comment #1) and doesn't affect rhel (comment #2), can this be closed? (else, I'll likely just remove my CC here)
Rex, you're gonna hate me for adding you back here, but you did not give me much time to reply your previous comment ;).
I was recently looking into this issue as well, as the patch that was used in the Fedora jasper packages differs from what was used by other vendors (Mandriva, Ubuntu, but not Debian, it seems) and what got committed to ghostscript CVS.
So this issue starts with Debian bug report here:
and it's libjasper clone:
Those bugs contain couple of files that are relevant for jasper (and cause jasper to crash): broken.jpc, broken.jp2, broken.jp2
The patch we have addresses the issue as it is worded in the CVE description, but jasper still crashes on some test files. Rest of that patch used by others it bit scary though (malloc -> calloc switch), and when applied to jasper in Fedora, seems to cause jasper to enter an infinite loop on at least one of the files (but I still can't seem to find enough time to dig deeper ;( ).
Do you remember where did you get the patch from, or possibly why it does not contain changes used by other vendors? I'm attaching tar ball with test files and patches.
(Also dropping Tim from CC, as ghostscript now uses system jasper.)
Created attachment 316091 [details]
Test files from Debian bug
Created attachment 316092 [details]
Patch used by Ubuntu
Created attachment 316093 [details]
Patch used by Mandriva
np, no hate here, thanks for the extra diligence.
I did not forget to add smiley, right? ;)
So it's not an infinite loop after all, just the image claims to have some crazy size:
$ imginfo -f broken.jpc
jpc 3 203 2097304 8 1277258136
Note to self: output values are:
fmtname, numcmpts, width, height, depth, (long) jas_image_rawsize(image)
So running ImageMagick's convert (e.g. convert broken.jpc foo.jpg) is likely to blow up when running out of memory. Running jasper utility to convert to pnm finishes after some time and create 1.2gig output file. You can test with:
jasper --input broken.jpc --output /dev/null --output-format pnm
It's not clear whether all that raw data is compressed to 30k .jpc file, or jasper has some issue with EOF handling / detection, though.
This was addressed via:
Red Hat Enterprise Linux version 4 (RHSA-2009:0012)
Red Hat Enterprise Linux version 5 (RHSA-2009:0012)
Fixed upstream in version 1.900.5: