Null pointer dereference vulnerability was found in bmp_getdata triggered by invoking imginfo command on specially crafted BMP image. Upstream patch: https://github.com/mdadams/jasper/commit/8f62b4761711d036fd8964df256b938c809b7fca CVE assignment: http://www.openwall.com/lists/oss-security/2016/10/16/14
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1385517] Affects: epel-7 [bug 1385519]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1385516] Affects: epel-5 [bug 1385518]
Upstream patch does not fix this issue according to the reporter: http://seclists.org/oss-sec/2016/q4/172
Fixed in: https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698
*** Bug 1388831 has been marked as a duplicate of this bug. ***
Here is original reporter's advisory: https://blogs.gentoo.org/ago/2016/10/16/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c/ It provides to crash stack traces indicating a problem in the BMP decoder: # imginfo -f $FILE ==26929==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8fc7fd53b5 bp 0x7ffcdf755110 sp 0x7ffcdf754de0 T0) #0 0x7f8fc7fd53b4 in bmp_getdata /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:385:5 #1 0x7f8fc7fd53b4 in bmp_decode /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:190 #2 0x7f8fc7fa1a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16 #3 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16 #4 0x7f8fc70b961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #5 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:385:5 in bmp_getdata ==26929==ABORTING # imginfo -f $FILE ==15555==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f02a9c081ee bp 0x7ffd1e22e110 sp 0x7ffd1e22dde0 T0) #0 0x7f02a9c081ed in bmp_getdata /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:383:5 #1 0x7f02a9c081ed in bmp_decode /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:190 #2 0x7f02a9bd4a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16 #3 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16 #4 0x7f02a8cec61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #5 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:383:5 in bmp_getdata ==15555==ABORTING These issues were reported upstream in the following bug reports: https://github.com/mdadams/jasper/issues/24 https://github.com/mdadams/jasper/issues/21 and addressed in version 1.900.5 via this commit: https://github.com/mdadams/jasper/commit/8f62b4761711d036fd8964df256b938c809b7fca A single CVE id CVE-2016-8690 was originally assigned for these issues: http://seclists.org/oss-sec/2016/q4/155 However, that fix did not address the underlying issue. The change to the bmp_getint32() function prevented triggering of the problem with originally provided reproducers, but reporter was able to create a different reproducer that does not trigger the problem in versions prior to 1.900.5, but does trigger it in 1.900.5. The following advisory was published for the incomplete fix: https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690/ providing the following crash stack traces: # imginfo -f $FILE THE BMP FORMAT IS NOT FULLY SUPPORTED! THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA. IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD. skipping unknown data in BMP file ASAN:DEADLYSIGNAL ================================================================= ==19659==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f90527a18fe bp 0x7ffcfacc8070 sp 0x7ffcfacc7ee0 T0) #0 0x7f90527a18fd in bmp_getdata /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:394:5 #1 0x7f90527a18fd in bmp_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:201 #2 0x7f9052748f39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16 #3 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16 #4 0x7f905185761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #5 0x418e68 in _init (/usr/bin/imginfo+0x418e68) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:394:5 in bmp_getdata ==19659==ABORTING # imginfo -f $FILE THE BMP FORMAT IS NOT FULLY SUPPORTED! THAT IS, THE JASPER SOFTWARE CANNOT DECODE ALL TYPES OF BMP DATA. IF YOU HAVE ANY PROBLEMS, PLEASE TRY CONVERTING YOUR IMAGE DATA TO THE PNM FORMAT, AND USING THIS FORMAT INSTEAD. ASAN:DEADLYSIGNAL ================================================================= ==11248==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f888b2f5a44 bp 0x7ffea5b3b070 sp 0x7ffea5b3aee0 T0) #0 0x7f888b2f5a43 in bmp_getdata /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:398:5 #1 0x7f888b2f5a43 in bmp_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:201 #2 0x7f888b29cf39 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/base/jas_image.c:380:16 #3 0x4f1686 in main /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/appl/imginfo.c:188:16 #4 0x7f888a3ab61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #5 0x418e68 in _init (/usr/bin/imginfo+0x418e68) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.5/work/jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:398:5 in bmp_getdata ==11248==ABORTING Upstream bug report for the incomplete fix: https://github.com/mdadams/jasper/issues/33 addressed in version 1.900.9 via this commit: https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698 The relevant part of the fix is change to the jas_matrix_create() function to ensure that its numrows and numcols arguments are not negative. Negative values could cause the created matrix to be initialized into an inconsistent state - with data_ being NULL and datasize_ being non-0 / negative. That could later lead to dereference of the NULL data_ pointer. It's likely to be write attempt close to NULL, but can theoretically be further away from NULL and hence accessing writeable memory. Provided test case that trigger the problem via BMP decoder only trigger a write close to NULL, limiting impact to crash. Two separate CVE ids CVE-2016-8884 and CVE-2016-8885 were assigned for the incomplete fix, even though the original issue only got single CVE. Some discussion of that can be found here: http://seclists.org/oss-sec/2016/q4/221
(In reply to Tomas Hoger from comment #6) > addressed in version 1.900.9 via this commit: > > https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698 This commit also adds additional sanity checks to bmp_decode(), which do not prevent crashes on the provided reproducers.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208