Marc Espie and Christian Weisgerber of the OpenBSD project identified multiple possible integer overflows in jasper. Problems occur in jas_malloc calls, where integer overflows may result in an insufficient memory allocation, leading to a heap based buffer overflow. OpenBSD jasper library patches: http://www.openbsd.org/cgi-bin/cvsweb/ports/graphics/jasper/patches/
Created attachment 316077 [details] OpenBSD patch This patch introduces jas_alloc[23] and jas_realloc2 functions and replaces all jas_malloc calls with argument containing multiplication of 2 or 3 values. In multiple cases, such change is not necessary (product is guaranteed not to overflow), and it was not further investigated in which cases overflow is possible and in which it is not possible. All occurrences were possibly identified with something like: egrep -r --color 'jas_malloc[[:space:]]*\(.*\*' *
Created attachment 325790 [details] More complete fix for CVE-2008-3520 It seems that the OpenBSD patch misses completely the jpc/jpc_cs.c, where jas_malloc() is used frequently with an argument containing multiplication with sizeof(random_type). I converted the jas_malloc(A * sizeof(unsigned char)) to jas_alloc2() as well to be paranoidly sure it won't ever happen to overflow even on weird platforms where sizeof(char) != 1.
Returning back to NEW state. This is just a tracking bug.
(In reply to comment #3) > It seems that the OpenBSD patch misses completely the jpc/jpc_cs.c, where > jas_malloc() is used frequently with an argument containing multiplication with > sizeof(random_type). What is the difference between patch comment #1 and comment #1 wrt jpc/jpc_cs.c? The only difference I see is related to this change: > I converted the jas_malloc(A * sizeof(unsigned char)) to jas_alloc2() as well > to be paranoidly sure it won't ever happen to overflow even on weird > platforms where sizeof(char) != 1. so jas_malloc(ppm->len * sizeof(unsigned char)) is changed to: jas_alloc2(ppm->len, sizeof(unsigned char)) rather than: jas_malloc(ppm->len)
Ok, my bad. The jpc/jpc_cs.c hunks were lost in rejected patch application while backporting the OpenBSD patch. In any case, it is now fixed.
jasper-1.900.1-13.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/jasper-1.900.1-13.fc11
jasper-1.900.1-13.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/jasper-1.900.1-13.fc10
jasper-1.900.1-13.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/jasper-1.900.1-13.el5
jasper-1.900.1-13.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/jasper-1.900.1-13.el4
jasper-1.900.1-13.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-13.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-13.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
jasper-1.900.1-13.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: RHEV Manager version 3.5 Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html
*** Bug 1294039 has been marked as a duplicate of this bug. ***
*** Bug 1296952 has been marked as a duplicate of this bug. ***
*** Bug 1296951 has been marked as a duplicate of this bug. ***
*** Bug 1296953 has been marked as a duplicate of this bug. ***
*** Bug 1296956 has been marked as a duplicate of this bug. ***
*** Bug 1296949 has been marked as a duplicate of this bug. ***
The patch was integrated upstream in version 1.900.4: https://github.com/mdadams/jasper/commit/3c55b399c36ef46befcb21e4ebc4799367f89684