There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a denial of service attack. Product bug: https://bugzilla.redhat.com/show_bug.cgi?id=1485287
Created jasper tracking bugs for this issue: Affects: fedora-all [bug 1434464] Created mingw-jasper tracking bugs for this issue: Affects: epel-7 [bug 1434465] Affects: fedora-all [bug 1434467]
Reported upstream now via: https://github.com/mdadams/jasper/issues/168 There is no bug in jas_strdup() as originally claimed, and only a fairly minor issue in the imginfo tool related to jas_strdup(), as the tool does not de-init Jasper library properly on errors. That does not really matter, as the program exits immediately. The real problem seems to be a lack of proper release of memory used to store image tile data when image decoding fails. There's also an open merge request upstream that aims to address this problem by calling jpc_dec_tilefini() from jpc_dec_destroy(): https://github.com/mdadams/jasper/pull/159 However, the problem remains unfixed in the current upstream version 2.0.14.
Upstream commit: https://github.com/jasper-software/jasper/commit/c4d3456d4e3f071ab7b3323422282e880a6b10ca The issue was fixed upstream in jasper 2.0.17.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-13748