Null pointer dereference vulnerability in jpc_tsfb_synthesize was found. Upstream patch: https://github.com/mdadams/jasper/commit/2e82fa00466ae525339754bb3ab0a0474a31d4bd Published on oss-security: http://seclists.org/oss-sec/2017/q1/606 Reference: https://blogs.gentoo.org/ago/2016/10/20/jasper-null-pointer-dereference-in-jpc_tsfb_synthesize-jpc_tsfb-c/
Created jasper tracking bugs for this issue: Affects: epel-5 [bug 1434466] Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1434467]
Upstream bug report: https://github.com/mdadams/jasper/issues/39 Quoting relevant information form the original reporter's advisory: https://blogs.gentoo.org/ago/2016/10/20/jasper-null-pointer-dereference-in-jpc_tsfb_synthesize-jpc_tsfb-c/ Another round of fuzzing on an updated version (1.900.5) revealed another NULL pointer access The complete ASan output: # imginfo -f $FILE warning: trailing garbage in marker segment (14 bytes) warning: not enough tile data (15 bytes) warning: bad segmentation symbol warning: bad segmentation symbol ASAN:DEADLYSIGNAL ================================================================= ==7144==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6d3c37d0b0 bp 0x7ffdc7407a90 sp 0x7ffdc7407a30 T0) #0 0x7f6d3c37d0af in jpc_tsfb_synthesize /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_tsfb.c:152:4 #1 0x7f6d3c2f5140 in jpc_dec_tiledecode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:1068:3 #2 0x7f6d3c2e5c40 in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:623:7 #3 0x7f6d3c2ef294 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:390:10 #4 0x7f6d3c2ef294 in jpc_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_dec.c:254 #5 0x7f6d3c2bd061 in jp2_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jp2/jp2_dec.c:215:21 #6 0x7f6d3c24df39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16 #7 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16 #8 0x7f6d3b35c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #9 0x418e68 in _init (/usr/bin/imginfo+0x418e68) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/jpc/jpc_tsfb.c:152:4 in jpc_tsfb_synthesize ==7144==ABORTING Affected version: 1.900.5 Fixed version: 1.900.9
The impact of this flaw is limited to application crash. There is currently no plan to backport the fix to already released Red Hat Enterprise Linux versions.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208