Bug 1649110 (CVE-2018-19139) - CVE-2018-19139 jasper: memory leak of data allocated in jpc_unk_getparms() after abort in jpc_dec_process_sot()
Summary: CVE-2018-19139 jasper: memory leak of data allocated in jpc_unk_getparms() af...
Alias: CVE-2018-19139
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1649111 1649112 1649113 1649115 1649116
Blocks: 1649114
TreeView+ depends on / blocked
Reported: 2018-11-12 23:02 UTC by Laura Pardo
Modified: 2020-05-04 20:41 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-05-04 20:41:50 UTC

Attachments (Terms of Use)

Description Laura Pardo 2018-11-12 23:02:33 UTC
An issue has been found in JasPer 2.0.14. There is a memory leak in jas_malloc.c when called from jpc_unk_getparms in jpc_cs.c.


Comment 1 Laura Pardo 2018-11-12 23:03:33 UTC
Created jasper tracking bugs for this issue:

Affects: fedora-all [bug 1649111]

Created mingw-jasper tracking bugs for this issue:

Affects: epel-7 [bug 1649113]
Affects: fedora-all [bug 1649112]

Comment 5 Tomas Hoger 2020-05-04 20:41:50 UTC
The reproducer triggers assertion failure abort in jpc_dec_process_sot() known as CVE-2017-13745 (bug 1488958) that remains unfixed upstream.  The reported leak is minor, and it does not make much sense to consider it as a security problem while the abort problem is not fixed.  Not currently planning to address this issue in Red Hat products.

Note You need to log in before you can comment on or make changes to this bug.