Bug 461476 - (CVE-2008-3520) CVE-2008-3520 jasper: multiple integer overflows in jas_alloc calls
CVE-2008-3520 jasper: multiple integer overflows in jas_alloc calls
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=vendor-sec,reported=20080519,p...
: Security
: 1294039 CVE-2015-8751 1296951 1296952 1296953 (view as bug list)
Depends On: 472945 472946 472947 472948 530305
Blocks: 1167538 CVE-2015-8751 1296956
  Show dependency treegraph
 
Reported: 2008-09-08 09:29 EDT by Tomas Hoger
Modified: 2016-11-24 05:26 EST (History)
6 users (show)

See Also:
Fixed In Version: jasper 1.900.4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-28 06:59:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
OpenBSD patch (37.17 KB, patch)
2008-09-08 09:35 EDT, Tomas Hoger
no flags Details | Diff
More complete fix for CVE-2008-3520 (29.66 KB, patch)
2008-12-04 23:08 EST, Jindrich Novy
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-09-08 09:29:29 EDT
Marc Espie and Christian Weisgerber of the OpenBSD project identified multiple possible integer overflows in jasper.  Problems occur in jas_malloc calls, where integer overflows may result in an insufficient memory allocation, leading to a heap based buffer overflow.

OpenBSD jasper library patches:
http://www.openbsd.org/cgi-bin/cvsweb/ports/graphics/jasper/patches/
Comment 1 Tomas Hoger 2008-09-08 09:35:04 EDT
Created attachment 316077 [details]
OpenBSD patch

This patch introduces jas_alloc[23] and jas_realloc2 functions and replaces all jas_malloc calls with argument containing multiplication of 2 or 3 values.  In multiple cases, such change is not necessary (product is guaranteed not to overflow), and it was not further investigated in which cases overflow is possible and in which it is not possible.

All occurrences were possibly identified with something like:
  egrep -r --color 'jas_malloc[[:space:]]*\(.*\*' *
Comment 3 Jindrich Novy 2008-12-04 23:08:55 EST
Created attachment 325790 [details]
More complete fix for CVE-2008-3520

It seems that the OpenBSD patch misses completely the jpc/jpc_cs.c, where jas_malloc() is used frequently with an argument containing multiplication with sizeof(random_type). I converted the jas_malloc(A * sizeof(unsigned char)) to jas_alloc2() as well to be paranoidly sure it won't ever happen to overflow even on weird platforms where sizeof(char) != 1.
Comment 4 Jindrich Novy 2008-12-05 06:38:39 EST
Returning back to NEW state. This is just a tracking bug.
Comment 5 Tomas Hoger 2008-12-10 10:16:32 EST
(In reply to comment #3)
> It seems that the OpenBSD patch misses completely the jpc/jpc_cs.c, where
> jas_malloc() is used frequently with an argument containing multiplication with
> sizeof(random_type).

What is the difference between patch comment #1 and comment #1 wrt jpc/jpc_cs.c?  The only difference I see is related to this change:

> I converted the jas_malloc(A * sizeof(unsigned char)) to jas_alloc2() as well
> to be paranoidly sure it won't ever happen to overflow even on weird
> platforms where sizeof(char) != 1.

so
  jas_malloc(ppm->len * sizeof(unsigned char))

is changed to:
  jas_alloc2(ppm->len, sizeof(unsigned char))

rather than:
  jas_malloc(ppm->len)
Comment 6 Jindrich Novy 2008-12-11 05:48:09 EST
Ok, my bad. The jpc/jpc_cs.c hunks were lost in rejected patch application while backporting the OpenBSD patch. In any case, it is now fixed.
Comment 8 Fedora Update System 2009-10-26 12:59:51 EDT
jasper-1.900.1-13.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/jasper-1.900.1-13.fc11
Comment 9 Fedora Update System 2009-10-26 13:01:00 EDT
jasper-1.900.1-13.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/jasper-1.900.1-13.fc10
Comment 10 Fedora Update System 2009-10-26 13:01:41 EDT
jasper-1.900.1-13.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/jasper-1.900.1-13.el5
Comment 11 Fedora Update System 2009-10-26 13:02:22 EDT
jasper-1.900.1-13.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/jasper-1.900.1-13.el4
Comment 12 Fedora Update System 2009-10-27 02:36:58 EDT
jasper-1.900.1-13.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2009-10-27 02:43:11 EDT
jasper-1.900.1-13.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2009-10-27 17:32:35 EDT
jasper-1.900.1-13.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2009-10-27 17:33:24 EDT
jasper-1.900.1-13.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 errata-xmlrpc 2015-03-18 08:12:20 EDT
This issue has been addressed in the following products:

  RHEV Manager version 3.5

Via RHSA-2015:0698 https://rhn.redhat.com/errata/RHSA-2015-0698.html
Comment 17 Cedric Buissart 2016-01-11 07:49:42 EST
*** Bug 1294039 has been marked as a duplicate of this bug. ***
Comment 18 Cedric Buissart 2016-01-11 07:50:09 EST
*** Bug 1296952 has been marked as a duplicate of this bug. ***
Comment 19 Cedric Buissart 2016-01-11 07:50:11 EST
*** Bug 1296951 has been marked as a duplicate of this bug. ***
Comment 20 Cedric Buissart 2016-01-11 07:50:13 EST
*** Bug 1296953 has been marked as a duplicate of this bug. ***
Comment 21 Cedric Buissart 2016-01-11 08:08:13 EST
*** Bug 1296956 has been marked as a duplicate of this bug. ***
Comment 22 Cedric Buissart 2016-01-11 08:10:02 EST
*** Bug 1296949 has been marked as a duplicate of this bug. ***
Comment 23 Tomas Hoger 2016-11-24 05:26:33 EST
The patch was integrated upstream in version 1.900.4:

https://github.com/mdadams/jasper/commit/3c55b399c36ef46befcb21e4ebc4799367f89684

Note You need to log in before you can comment on or make changes to this bug.