An assertion failure was used in JPC bitstream code when integer larger than what can be handled is requested. Upstream patch: https://github.com/mdadams/jasper/commit/1e84674d95353c64e5c4c0e7232ae86fd6ea813b CVE assignment: http://seclists.org/oss-sec/2016/q4/441
Created mingw-jasper tracking bugs for this issue: Affects: fedora-all [bug 1396987] Affects: epel-7 [bug 1396989]
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1396986] Affects: epel-5 [bug 1396988]
Original reporter's advisory: https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure/ Upstream bug report: https://github.com/mdadams/jasper/issues/59 Test case: https://github.com/asarubbo/poc/blob/master/00014-jasper-assert-jpc_bitstream_getbits
Impact of this problem is limited to unexpected application termination. There is currently no plan to backport the fix to already released Red Hat Enterprise Linux versions.
Quoting relevant part of the original reporter's advisory for posterity: Affected version: 1.900.13 Output/failure: type = 0xff05 (UNKNOWN); len = 20;01 40 40 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_bs.c:197: long jpc_bitstream_getbits(jpc_bitstream_t *, int): Assertion `n >= 0 && n < 32' failed. Commit fix: https://github.com/mdadams/jasper/commit/1e84674d95353c64e5c4c0e7232ae86fd6ea813b Fixed version: 1.900.14 Testcase: https://github.com/asarubbo/poc/blob/master/00014-jasper-assert-jpc_bitstream_getbits CVE: CVE-2016-9391
Re-considering inclusion for easier future testing.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1208 https://access.redhat.com/errata/RHSA-2017:1208