Bugzilla – Bug 1010979
VUL-0: CVE-2016-9398: jasper: jpc_math.c:94: int jpc_floorlog2(int): Assertion 'x > 0' failed.
Last modified: 2022-06-10 13:08:55 UTC
CVE-2016-9398 Affected version: 1.900.17 Output/failure: imginfo: /tmp/portage/media- libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_math.c:94: int jpc_floorlog2(int): Assertion `x > 0′ failed. Commit fix: N/A Fixed version: N/A Testcase: https://github.com/asarubbo/poc/blob/master/00023-jasper-assert-jpc_floorlog2 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9398 http://seclists.org/oss-sec/2016/q4/441
Created attachment 702723 [details] CVE-2016-9398.jasper QA REPRODUCER: jasper --input !$ --output foo.bmp jasper --input CVE-2016-9398.jasper --output foo.bmp jasper: jpc_math.c:94: jpc_floorlog2: Assertion `x > 0' failed. Abgebrochen (Speicherabzug geschrieben)
bugbot adjusting priority
Created attachment 706209 [details] Patch that solves that assert
SUSE-SU-2017:0084-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1010977,1010979,1011830,1012530,1015993 CVE References: CVE-2016-8654,CVE-2016-9395,CVE-2016-9398,CVE-2016-9560,CVE-2016-9591 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): jasper-1.900.14-184.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): jasper-1.900.14-184.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): jasper-1.900.14-184.1 SUSE Linux Enterprise Server 12-SP2 (src): jasper-1.900.14-184.1 SUSE Linux Enterprise Server 12-SP1 (src): jasper-1.900.14-184.1 SUSE Linux Enterprise Desktop 12-SP2 (src): jasper-1.900.14-184.1 SUSE Linux Enterprise Desktop 12-SP1 (src): jasper-1.900.14-184.1
openSUSE-SU-2017:0101-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1010977,1010979,1011830,1012530,1015993 CVE References: CVE-2016-8654,CVE-2016-9395,CVE-2016-9398,CVE-2016-9560,CVE-2016-9591 Sources used: openSUSE Leap 42.2 (src): jasper-1.900.14-170.1 openSUSE Leap 42.1 (src): jasper-1.900.14-170.1
SUSE-SU-2017:0946-1: An update that fixes 10 vulnerabilities is now available. Category: security (important) Bug References: 1010977,1010979,1011830,1012530,1015400,1015993,1018088,1020353,1021868,1029497 CVE References: CVE-2016-10251,CVE-2016-8654,CVE-2016-9395,CVE-2016-9398,CVE-2016-9560,CVE-2016-9583,CVE-2016-9591,CVE-2016-9600,CVE-2017-5498,CVE-2017-6850 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): jasper-1.900.14-134.32.1 SUSE Linux Enterprise Server 11-SP4 (src): jasper-1.900.14-134.32.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): jasper-1.900.14-134.32.1
Upstream bug: https://github.com/mdadams/jasper/issues/71 They used https://github.com/mdadams/jasper/commit/910c351ff5a80a373c5f0ec19f012e8d52b8b4c9 to fix it but later reverted via https://github.com/mdadams/jasper/commit/fc03b57384225055847ec92659e50f95d9ea63f2 Their fix was: >--- a/src/libjasper/jpc/jpc_t1cod.c >+++ b/src/libjasper/jpc/jpc_t1cod.c >@@ -210,7 +210,8 @@ int JPC_SEGPASSCNT(int passno, int firstpassno, int >numpasses, int bypass, int t > } else { > ret = JPC_PREC * 3 - 2; > } >- ret = JAS_MIN(ret, numpasses - passno); >+ if (passno < numpasses) >+ ret = JAS_MIN(ret, numpasses - passno); > return ret; > } while ours is: >--- jasper-1.900.14/src/libjasper/jpc/jpc_t2dec.c 2016-10-18 >08:27:00.000000000 +0200 >+++ jasper-1.900.14/src/libjasper/jpc/jpc_t2dec.c 2016-12-13 >10:42:02.827869570 +0100 >@@ -296,6 +296,9 @@ > passno = cblk->firstpassno + >cblk->numpasses + mycounter; > /* XXX - the maxpasses is not set precisely but this doesn't matter... >*/ > maxpasses = >JPC_SEGPASSCNT(passno, cblk->firstpassno, 10000, (ccp->cblkctx & JPC_COX_LAZY) >!= 0, (ccp->cblkctx & JPC_COX_TERMALL) != 0); >+ // Avoid maxpasses to be >negative >+ if (maxpasses < 0) >+ maxpasses = -maxpasses; > if (!discard && !seg) { > if (!(seg = >jpc_seg_alloc())) { > return -1;
Hi Marcus, What do you think about our fix jasper-CVE-2016-9398.patch ( https://build.opensuse.org/package/view_file/graphics/jasper/jasper-CVE-2016-9398.patch?expand=1 ) ? Resulting in: jasper --input CVE-2016-9398.jasper --output foo.bmp alignment failed jpc_dec_decodepkts failed error: cannot decode code stream error: cannot load image data Upstream reverted their fix (mentioned in https://bugzilla.suse.com/show_bug.cgi?id=1010979#c7 ) for only masking the issue.
This really looks weird, why negating it? This negation is wrong I think.
> This really looks weird, why negating it? Probably just so that the later assert doesnt get triggered.
Note to self: Fixes: https://github.com/jasper-software/jasper/commit/c6f9fb6ec7fc97a5c4213f9077faf8622685d160 https://github.com/jasper-software/jasper/pull/227/commits /b412b6a5b3076a9db08900ab2c1d47c090d7470d Context: https://github.com/jasper-software/jasper/issues/225 https://github.com/jasper-software/jasper/issues/71 https://github.com/jasper-software/jasper/issues/190
Since we already had jasper-CVE-2016-9398.patch as one of the earliest patches, and several other patches would depend on this one I added patch jasper-CVE-2016-9398-upstream.patch which reverts jasper-CVE-2016-9398.patch and uses the upstream fixes: https://github.com/jasper-software/jasper/commit/9580dcb0b40a8ebe1bd45976235f2f518d0adc0b https://github.com/jasper-maint/jasper/commit/c6f9fb6ec7fc97a5c4213f9077faf8622685d160 Those commits limit the range to possible values instead of just negating. SLE11: SR#225217 SLE12: SR#225218 SLE15: SR#225220
SUSE-SU-2020:2690-1: An update that fixes 17 vulnerabilities is now available. Category: security (low) Bug References: 1010786,1010979,1010980,1011829,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1092115,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9397,CVE-2016-9398,CVE-2016-9399,CVE-2016-9557,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9154,CVE-2018-9252 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): jasper-1.900.14-195.22.1 SUSE Linux Enterprise Server 12-SP5 (src): jasper-1.900.14-195.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2689-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 JIRA References: Sources used: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): jasper-2.0.14-3.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1517-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 JIRA References: Sources used: openSUSE Leap 15.1 (src): jasper-2.0.14-lp151.4.9.1
openSUSE-SU-2020:1523-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 JIRA References: Sources used: openSUSE Leap 15.2 (src): jasper-2.0.14-lp152.7.3.1
Done, closing.