Bug 346501 (CVE-2007-2721) - CVE-2007-2721 jasper: crash in jpc_qcx_getcompparms
Summary: CVE-2007-2721 jasper: crash in jpc_qcx_getcompparms
Alias: CVE-2007-2721
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Depends On: 240397 346511 Engineering472945 Engineering472946 Engineering472947 Engineering472948 501451 Confidential530120 Confidential554731
TreeView+ depends on / blocked
Reported: 2007-10-23 09:05 UTC by Tomas Hoger
Modified: 2021-11-12 19:40 UTC (History)
2 users (show)

Fixed In Version: jasper 1.900.5
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 501451 (view as bug list)
Last Closed: 2010-12-22 21:49:39 UTC

Attachments (Terms of Use)
Test files from Debian bug (160.00 KB, application/x-tar)
2008-09-08 15:09 UTC, Tomas Hoger
no flags Details
Patch used by Ubuntu (2.15 KB, patch)
2008-09-08 15:10 UTC, Tomas Hoger
no flags Details | Diff
Patch used by Mandriva (1.41 KB, patch)
2008-09-08 15:11 UTC, Tomas Hoger
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0012 0 normal SHIPPED_LIVE Moderate: netpbm security update 2009-02-11 16:53:08 UTC

Description Tomas Hoger 2007-10-23 09:05:27 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-2721 to the following vulnerability:

The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files, as originally demonstrated using imagemagick convert.



Comment 1 Tomas Hoger 2007-10-23 09:18:35 UTC
This issue was addressed for Fedora jasper package few months ago:


Recently, it was discovered that (GNU) ghostscript contains local copy of jasper
code which is affected by this problem:


ghostscript patch applied upstream:


Comment 2 Tomas Hoger 2007-10-23 09:30:34 UTC
This issue does not affect versions of ghostscript as shipped with Red Hat
Enterprise Linux 2.1, 3, 4 or 5 and Fedora Core 6 and Fedora 7, as they do not
include jasper library.

Comment 4 Rex Dieter 2008-09-05 15:29:10 UTC
Since this was already addressed in fedora (per comment #1) and doesn't affect rhel (comment #2), can this be closed?  (else, I'll likely just remove my CC here)

Comment 5 Tomas Hoger 2008-09-08 15:09:21 UTC
Rex, you're gonna hate me for adding you back here, but you did not give me much time to reply your previous comment ;).

I was recently looking into this issue as well, as the patch that was used in the Fedora jasper packages differs from what was used by other vendors (Mandriva, Ubuntu, but not Debian, it seems) and what got committed to ghostscript CVS.

So this issue starts with Debian bug report here:
and it's libjasper clone:

Those bugs contain couple of files that are relevant for jasper (and cause jasper to crash): broken.jpc, broken.jp2, broken[234].jp2

The patch we have addresses the issue as it is worded in the CVE description, but jasper still crashes on some test files.  Rest of that patch used by others it bit scary though (malloc -> calloc switch), and when applied to jasper in Fedora, seems to cause jasper to enter an infinite loop on at least one of the files (but I still can't seem to find enough time to dig deeper ;( ).

Do you remember where did you get the patch from, or possibly why it does not contain changes used by other vendors?  I'm attaching tar ball with test files and patches.

(Also dropping Tim from CC, as ghostscript now uses system jasper.)

Comment 6 Tomas Hoger 2008-09-08 15:09:59 UTC
Created attachment 316091 [details]
Test files from Debian bug

Comment 7 Tomas Hoger 2008-09-08 15:10:39 UTC
Created attachment 316092 [details]
Patch used by Ubuntu

Comment 8 Tomas Hoger 2008-09-08 15:11:08 UTC
Created attachment 316093 [details]
Patch used by Mandriva

Comment 9 Rex Dieter 2008-09-08 15:25:39 UTC
np, no hate here, thanks for the extra diligence.

Comment 10 Tomas Hoger 2008-09-09 06:50:18 UTC
I did not forget to add smiley, right? ;)

So it's not an infinite loop after all, just the image claims to have some crazy size:

  $ imginfo -f broken.jpc
  jpc 3 203 2097304 8 1277258136

Note to self: output values are:
  fmtname, numcmpts, width, height, depth, (long) jas_image_rawsize(image)

So running ImageMagick's convert (e.g. convert broken.jpc foo.jpg) is likely to blow up when running out of memory.  Running jasper utility to convert to pnm finishes after some time and create 1.2gig output file.  You can test with:

  jasper --input broken.jpc --output /dev/null --output-format pnm

It's not clear whether all that raw data is compressed to 30k .jpc file, or jasper has some issue with EOF handling / detection, though.

Comment 12 Vincent Danen 2010-12-22 21:49:39 UTC
This was addressed via:

Red Hat Enterprise Linux version 4 (RHSA-2009:0012)
Red Hat Enterprise Linux version 5 (RHSA-2009:0012)

Comment 13 Tomas Hoger 2016-11-24 10:42:24 UTC
Fixed upstream in version 1.900.5:


Note You need to log in before you can comment on or make changes to this bug.