A number of overflows were found in jasper causing use after free vulnerability triggeerd by creafted image. Upstream patch: https://github.com/mdadams/jasper/commit/634ce8e8a5accc0fa05dd2c20d42b4749d4b2735 Reproducer: https://github.com/asarubbo/poc/blob/master/00028-jasper-uaf-jas_realloc CVE assignment: http://seclists.org/oss-sec/2016/q4/385
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1393884] Affects: epel-7 [bug 1393887]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1393883] Affects: epel-5 [bug 1393885]
Upstream bug report: https://github.com/mdadams/jasper/issues/74 Original reporter's advisory: https://blogs.gentoo.org/ago/2016/11/07/jasper-use-after-free-in-jas_realloc-jas_malloc-c/ Relevant info from the advisory: A crafted image, maybe posted in the past as testcase for another bug, causes in the 1.900.18 version a use-after-free. No fuzzers involved at this time. The complete ASan output: # imginfo -f $FILE Corrupt JPEG data: 19 extraneous bytes before marker 0xda ================================================================= ==21990==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000009b80 at pc 0x7fce4229d29d bp 0x7fffab22f9a0 sp 0x7fffab22f998 READ of size 8 at 0x619000009b80 thread T0 #0 0x7fce4229d29c in jas_realloc /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:182:21 #1 0x7fce422a5e38 in mem_resize /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:1001:14 #2 0x7fce422a5e38 in mem_write /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:1027 #3 0x7fce422a30e5 in jas_stream_flushbuf /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:822:7 #4 0x7fce422a4b4c in jas_stream_flush /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:752:9 #5 0x7fce422a4b4c in jas_stream_seek /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_stream.c:659 #6 0x7fce42273928 in jas_image_cmpt_create /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_image.c:351:4 #7 0x7fce42276986 in jas_image_addcmpt /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_image.c:723:18 #8 0x7fce4233e3fc in jpg_mkimage /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/jpg/jpg_dec.c:268:7 #9 0x7fce4233e3fc in jpg_decode /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/jpg/jpg_dec.c:183 #10 0x7fce422749bd in jas_image_decode /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_image.c:396:16 #11 0x4f1330 in main /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/appl/imginfo.c:203:16 #12 0x7fce4138961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #13 0x418cb8 in _init (/usr/bin/imginfo+0x418cb8) 0x619000009b80 is located 0 bytes inside of 1056-byte region [0x619000009b80,0x619000009fa0) freed by thread T0 here: #0 0x4bff00 in free /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38 #1 0x7fce4229d359 in jas_free /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:225:3 previously allocated by thread T0 here: #0 0x4c0208 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52 #1 0x7fce4229d0b2 in jas_malloc /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:148:13 SUMMARY: AddressSanitizer: heap-use-after-free /tmp/portage/media-libs/jasper-1.900.18/work/jasper-1.900.18/src/libjasper/base/jas_malloc.c:182:21 in jas_realloc Shadow bytes around the buggy address: 0x0c327fff9320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c327fff9370:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff9380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff9390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff93a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff93b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff93c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==21990==ABORTING Affected version: 1.900.18 Fixed version: 1.900.22 Commit fix: https://github.com/mdadams/jasper/commit/634ce8e8a5accc0fa05dd2c20d42b4749d4b2735
This is one of the problems that were already discussed as part of CVE-2015-5203, see bug 1254242 comment 11. There was an integer overflow problem in the jas_image_cmpt_create() function. Earlier patches ensured that the result of the multiplication can fit into size_t type, but later passed the value to the jas_stream_memopen() function, which size with the type of int. This integer truncation could lead to bypass of the original integer overflow fix.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208