Bug 1646647 (CVE-2018-18873) - CVE-2018-18873 jasper: NULL pointer dereference in ras_putdatastd() in ras_enc.c
Summary: CVE-2018-18873 jasper: NULL pointer dereference in ras_putdatastd() in ras_enc.c
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2018-18873
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1646649 1646650 1646651 1646652
Blocks: 1646653
TreeView+ depends on / blocked
 
Reported: 2018-11-05 19:45 UTC by Laura Pardo
Modified: 2020-12-11 21:51 UTC (History)
10 users (show)

Fixed In Version: jasper 2.0.17
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-23 13:32:17 UTC


Attachments (Terms of Use)

Description Laura Pardo 2018-11-05 19:45:00 UTC
An issue was discovered in JasPer 2.0.14. There is a NULL pointer dereference in the function ras_putdatastd in ras/ras_enc.c. 


References:
https://github.com/mdadams/jasper/issues/184

Comment 1 Laura Pardo 2018-11-05 19:45:49 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1646649]


Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1646651]
Affects: fedora-all [bug 1646650]

Comment 5 Tomas Hoger 2020-04-23 12:35:53 UTC
This affects not only versions 2.0.*, but also 1.900.*.  The problem remains unfixed in the currently latest upstream version 2.0.16.

This flaw exists in the code for writing image into the RAS (Sun Raster) format.  It does not affect the most typical uses of Jasper library to read JPEG2000 images.

Comment 7 Tomas Hoger 2020-12-11 21:51:46 UTC
Upstream commit:

https://github.com/jasper-software/jasper/commit/12db8078ba17a8ffc5cc2429fb506988f0f11b44

Fixed upstream in jasper 2.0.17.


Note You need to log in before you can comment on or make changes to this bug.