An assertion failure was found in jasper triggered when tiles lie outside of the image area. Upstream patch: https://github.com/mdadams/jasper/commit/ba2b9d000660313af7b692542afbd374c5685865 CVE assignment: http://seclists.org/oss-sec/2016/q4/441
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1396987] Affects: epel-7 [bug 1396989]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1396986] Affects: epel-5 [bug 1396988]
This issue was reported upstream in: https://github.com/mdadams/jasper/issues/49 https://github.com/mdadams/jasper/issues/53 It was first incorrectly fixed in version jasper 1.900.13 by protecting against integer overflows in jpc_dec_process_siz() - see CVE-2016-9387 / bug 1396959. Re-fixed in version 1.900.14 using the fix linked to from comment 0. The impact of this flaw seems to be limited to triggering an assertion failure in jas_seq2d_create() function. Failed assertion causes program to exit unexpectedly, but does not allow code execution. As a precaution against impacts other than the known assertion failure, it may get addressed in future jasper packages in Red Hat Enterprise Linux 6 and 7.
Original reporter's advisory: https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure/ Relevant info from the advisory: Affected version: 1.900.13 Output/failure: imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/base/jas_seq.c:90: jas_matrix_t *jas_seq2d_create(int, int, int, int): Assertion `xstart <= xend && ystart <= yend' failed. Commit fix: https://github.com/mdadams/jasper/commit/ba2b9d000660313af7b692542afbd374c5685865 Fixed version: 1.900.14 Testcase: https://github.com/asarubbo/poc/blob/master/00007-jasper-assert-jas_matrix_t CVE: CVE-2016-9390
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208