Bug 1385502 (CVE-2016-8691, CVE-2016-8692) - CVE-2016-8691 CVE-2016-8692 jasper: missing SIZ marker segment XRsiz and YRsiz fields range check
Summary: CVE-2016-8691 CVE-2016-8692 jasper: missing SIZ marker segment XRsiz and YRsi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-8691, CVE-2016-8692
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1385503 (view as bug list)
Depends On: 1385516 1385517 1385518 1385519 1439171 1439172 1439173 1439174
Blocks: 1314477
TreeView+ depends on / blocked
 
Reported: 2016-10-17 08:40 UTC by Adam Mariš
Modified: 2019-09-29 13:57 UTC (History)
27 users (show)

Fixed In Version: jasper 1.900.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-09 21:45:50 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1208 0 normal SHIPPED_LIVE Important: jasper security update 2017-05-09 21:13:57 UTC

Description Adam Mariš 2016-10-17 08:40:25 UTC 
Divide by zero vulnerability was found in jpc_dec_process_siz triggered by invoking imginfo command on specially crafted file.

Upstream patch:

https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020

CVE assignment:

http://www.openwall.com/lists/oss-security/2016/10/16/14
Comment 1 Adam Mariš 2016-10-17 08:49:20 UTC 
Please, don't make changes to flaw bugs! These should be modified only by members of Product Security. Tracking bugs for Fedora will be created soon.

Thanks!
Comment 2 Adam Mariš 2016-10-17 08:55:35 UTC 
Created mingw-jasper tracking bugs for this issue:

Affects: fedora-all [bug 1385517]
Affects: epel-7 [bug 1385519]
Comment 3 Adam Mariš 2016-10-17 08:55:53 UTC 
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1385516]
Affects: epel-5 [bug 1385518]
Comment 4 Tomas Hoger 2016-11-30 10:45:43 UTC 
There are two related issues, that got separate CVEs assigned - CVE-2016-8691 and CVE-2016-8692 - even though they should have got a single CVE based on Mitre CVE assignment rules.  They have also been addressed via the same upstream commit.  Merging the tracking of both CVEs to single bug.

Prior to the patch, the jpc_siz_getparms() function failed to sanity check values of XRsiz and YRsiz fields of SIZ marker segment.  That could lead to an attempt to perform division by 0, and hence unexpected program termination, inside jpc_dec_process_siz() function.

Both issues are covered by this advisory from the original reporter:

https://blogs.gentoo.org/ago/2016/10/16/jasper-two-divide-by-zero-in-jpc_dec_process_siz-jpc_dec-c/


CVE-2016-8691 is for the missing check of XRsiz value

Upstream bug report:

https://github.com/mdadams/jasper/issues/22

Details from the original reporter's advisory:

# imginfo -f $FILE
warning: trailing garbage in marker segment (2 bytes)
ASAN:DEADLYSIGNAL
=================================================================
==31103==ERROR: AddressSanitizer: FPE on unknown address 0x7f5b9237e7df (pc 0x7f5b9237e7df bp 0x7fff3818a0c0 sp 0x7fff38189fa0 T0)
    #0 0x7f5b9237e7de in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17
    #1 0x7f5b923842b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10
    #2 0x7f5b923842b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254
    #3 0x7f5b92327a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #5 0x7f5b9143f61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1194:17 in jpc_dec_process_siz
==31103==ABORTING


CVE-2016-8692 is for the missing check of YRsiz value

Upstream bug report:

https://github.com/mdadams/jasper/issues/23

Details from the original reporter's advisory:

# imginfo -f $FILE
warning: trailing garbage in marker segment (5 bytes)
ASAN:DEADLYSIGNAL
=================================================================
==24077==ERROR: AddressSanitizer: FPE on unknown address 0x7f78c36f9822 (pc 0x7f78c36f9822 bp 0x7ffe2bff10c0 sp 0x7ffe2bff0fa0 T0)
    #0 0x7f78c36f9821 in jpc_dec_process_siz /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18
    #1 0x7f78c36ff2b2 in jpc_dec_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:390:10
    #2 0x7f78c36ff2b2 in jpc_decode /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:254
    #3 0x7f78c36a2a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #4 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #5 0x7f78c27ba61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tmp/jasper-version-1.900.3/src/libjasper/jpc/jpc_dec.c:1196:18 in jpc_dec_process_siz
==24077==ABORTING
Comment 7 Tomas Hoger 2016-11-30 11:34:49 UTC 
*** Bug 1385503 has been marked as a duplicate of this bug. ***
Comment 8 Tomas Hoger 2016-11-30 11:36:30 UTC 
Impact of this problem is limited to unexpected application termination.  There is currently no plan to backport the fix to already released Red Hat Enterprise Linux versions.
Comment 10 errata-xmlrpc 2017-05-09 17:17:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208
Note You need to log in before you can comment on or make changes to this bug.