1649110 – (CVE-2018-19139) CVE-2018-19139 jasper: memory leak of data allocated in jpc_unk_getparms() after abort in jpc_dec_process_sot()

Bug 1649110 (CVE-2018-19139) - CVE-2018-19139 jasper: memory leak of data allocated in jpc_unk_getparms() after abort in jpc_dec_process_sot()

Summary: CVE-2018-19139 jasper: memory leak of data allocated in jpc_unk_getparms() af...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2018-19139
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1649111 1649112 1649113 1649115 1649116
Blocks:	1649114
TreeView+	depends on / blocked

Reported:	2018-11-12 23:02 UTC by Laura Pardo
Modified:	2020-05-04 20:41 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-05-04 20:41:50 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2018-11-12 23:02:33 UTC

An issue has been found in JasPer 2.0.14. There is a memory leak in jas_malloc.c when called from jpc_unk_getparms in jpc_cs.c.


References:
https://github.com/mdadams/jasper/issues/188

Comment 1 Laura Pardo 2018-11-12 23:03:33 UTC

Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1649111]


Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1649113]
Affects: fedora-all [bug 1649112]

Comment 5 Tomas Hoger 2020-05-04 20:41:50 UTC

The reproducer triggers assertion failure abort in jpc_dec_process_sot() known as CVE-2017-13745 (bug 1488958) that remains unfixed upstream.  The reported leak is minor, and it does not make much sense to consider it as a security problem while the abort problem is not fixed.  Not currently planning to address this issue in Red Hat products.

Note You need to log in before you can comment on or make changes to this bug.