Bug 1010979 (CVE-2016-9398) - VUL-0: CVE-2016-9398: jasper: jpc_math.c:94: int jpc_floorlog2(int): Assertion 'x > 0' failed.
Summary: VUL-0: CVE-2016-9398: jasper: jpc_math.c:94: int jpc_floorlog2(int): Asserti...
Status: RESOLVED FIXED
Alias: CVE-2016-9398
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/176456/
Whiteboard: CVSSv2:SUSE:CVE-2016-9398:1.5:(AV:L/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-18 15:57 UTC by Marcus Meissner
Modified: 2022-06-10 13:08 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2016-9398.jasper (1.04 KB, application/octet-stream)
2016-11-18 15:59 UTC, Marcus Meissner
Details
Patch that solves that assert (667 bytes, patch)
2016-12-13 10:11 UTC, Fridrich Strba
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-11-18 15:57:37 UTC
CVE-2016-9398


Affected version:
1.900.17
Output/failure:
imginfo: /tmp/portage/media-
libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_math.c:94: int 
jpc_floorlog2(int): Assertion `x > 0′ failed.
Commit fix:
N/A
Fixed version:
N/A
Testcase:
https://github.com/asarubbo/poc/blob/master/00023-jasper-assert-jpc_floorlog2


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9398
http://seclists.org/oss-sec/2016/q4/441
Comment 1 Marcus Meissner 2016-11-18 15:59:51 UTC
Created attachment 702723 [details]
CVE-2016-9398.jasper

QA REPRODUCER:

jasper --input !$ --output foo.bmp
jasper --input CVE-2016-9398.jasper --output foo.bmp
jasper: jpc_math.c:94: jpc_floorlog2: Assertion `x > 0' failed.
Abgebrochen (Speicherabzug geschrieben)
Comment 2 Swamp Workflow Management 2016-11-18 23:01:53 UTC
bugbot adjusting priority
Comment 3 Fridrich Strba 2016-12-13 10:11:11 UTC
Created attachment 706209 [details]
Patch that solves that assert
Comment 4 Swamp Workflow Management 2017-01-08 16:07:50 UTC
SUSE-SU-2017:0084-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1010977,1010979,1011830,1012530,1015993
CVE References: CVE-2016-8654,CVE-2016-9395,CVE-2016-9398,CVE-2016-9560,CVE-2016-9591
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    jasper-1.900.14-184.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    jasper-1.900.14-184.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    jasper-1.900.14-184.1
SUSE Linux Enterprise Server 12-SP2 (src):    jasper-1.900.14-184.1
SUSE Linux Enterprise Server 12-SP1 (src):    jasper-1.900.14-184.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    jasper-1.900.14-184.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    jasper-1.900.14-184.1
Comment 5 Swamp Workflow Management 2017-01-10 18:08:30 UTC
openSUSE-SU-2017:0101-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1010977,1010979,1011830,1012530,1015993
CVE References: CVE-2016-8654,CVE-2016-9395,CVE-2016-9398,CVE-2016-9560,CVE-2016-9591
Sources used:
openSUSE Leap 42.2 (src):    jasper-1.900.14-170.1
openSUSE Leap 42.1 (src):    jasper-1.900.14-170.1
Comment 6 Swamp Workflow Management 2017-04-05 19:09:03 UTC
SUSE-SU-2017:0946-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1010977,1010979,1011830,1012530,1015400,1015993,1018088,1020353,1021868,1029497
CVE References: CVE-2016-10251,CVE-2016-8654,CVE-2016-9395,CVE-2016-9398,CVE-2016-9560,CVE-2016-9583,CVE-2016-9591,CVE-2016-9600,CVE-2017-5498,CVE-2017-6850
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    jasper-1.900.14-134.32.1
SUSE Linux Enterprise Server 11-SP4 (src):    jasper-1.900.14-134.32.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    jasper-1.900.14-134.32.1
Comment 7 Michael Vetter 2019-03-12 16:11:38 UTC
Upstream bug: https://github.com/mdadams/jasper/issues/71
They used https://github.com/mdadams/jasper/commit/910c351ff5a80a373c5f0ec19f012e8d52b8b4c9 to fix it but later reverted via https://github.com/mdadams/jasper/commit/fc03b57384225055847ec92659e50f95d9ea63f2

Their fix was:
>--- a/src/libjasper/jpc/jpc_t1cod.c
>+++ b/src/libjasper/jpc/jpc_t1cod.c
>@@ -210,7 +210,8 @@ int JPC_SEGPASSCNT(int passno, int firstpassno, int >numpasses, int bypass, int t
> 	} else {
> 		ret = JPC_PREC * 3 - 2;
> 	}
>-	ret = JAS_MIN(ret, numpasses - passno);
>+	if (passno < numpasses)
>+		ret = JAS_MIN(ret, numpasses - passno);
> 	return ret;
> }

while ours is:
>--- jasper-1.900.14/src/libjasper/jpc/jpc_t2dec.c	2016-10-18 >08:27:00.000000000 +0200
>+++ jasper-1.900.14/src/libjasper/jpc/jpc_t2dec.c	2016-12-13 >10:42:02.827869570 +0100
>@@ -296,6 +296,9 @@
> 						passno = cblk->firstpassno + >cblk->numpasses + mycounter;
> 	/* XXX - the maxpasses is not set precisely but this doesn't matter... >*/
> 						maxpasses = >JPC_SEGPASSCNT(passno, cblk->firstpassno, 10000, (ccp->cblkctx & JPC_COX_LAZY) >!= 0, (ccp->cblkctx & JPC_COX_TERMALL) != 0);
>+						// Avoid maxpasses to be >negative
>+						if (maxpasses < 0)
>+							maxpasses = -maxpasses;
> 						if (!discard && !seg) {
> 							if (!(seg = >jpc_seg_alloc())) {
> 								return -1;
Comment 8 Michael Vetter 2019-03-25 11:01:30 UTC
Hi Marcus,

What do you think about our fix jasper-CVE-2016-9398.patch ( https://build.opensuse.org/package/view_file/graphics/jasper/jasper-CVE-2016-9398.patch?expand=1 ) ?

Resulting in:

jasper --input CVE-2016-9398.jasper --output foo.bmp
alignment failed
jpc_dec_decodepkts failed
error: cannot decode code stream
error: cannot load image data

Upstream reverted their fix (mentioned in https://bugzilla.suse.com/show_bug.cgi?id=1010979#c7 ) for only masking the issue.
Comment 9 Marcus Meissner 2019-03-27 16:34:47 UTC
This really looks weird, why negating it?

This negation is wrong I think.
Comment 10 Michael Vetter 2019-03-28 09:20:15 UTC
> This really looks weird, why negating it?

Probably just so that the later assert doesnt get triggered.
Comment 12 Michael Vetter 2020-08-26 11:04:32 UTC
Since we already had jasper-CVE-2016-9398.patch as one of the earliest patches, and several other patches would depend on this one I added patch jasper-CVE-2016-9398-upstream.patch which reverts jasper-CVE-2016-9398.patch and uses the upstream fixes: 
https://github.com/jasper-software/jasper/commit/9580dcb0b40a8ebe1bd45976235f2f518d0adc0b
https://github.com/jasper-maint/jasper/commit/c6f9fb6ec7fc97a5c4213f9077faf8622685d160

Those commits limit the range to possible values instead of just negating.

SLE11: SR#225217
SLE12: SR#225218
SLE15: SR#225220
Comment 14 Swamp Workflow Management 2020-09-21 13:15:05 UTC
SUSE-SU-2020:2690-1: An update that fixes 17 vulnerabilities is now available.

Category: security (low)
Bug References: 1010786,1010979,1010980,1011829,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1092115,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9397,CVE-2016-9398,CVE-2016-9399,CVE-2016-9557,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9154,CVE-2018-9252
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    jasper-1.900.14-195.22.1
SUSE Linux Enterprise Server 12-SP5 (src):    jasper-1.900.14-195.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-09-21 13:22:27 UTC
SUSE-SU-2020:2689-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    jasper-2.0.14-3.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-09-24 16:18:04 UTC
openSUSE-SU-2020:1517-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    jasper-2.0.14-lp151.4.9.1
Comment 17 Swamp Workflow Management 2020-09-25 10:18:03 UTC
openSUSE-SU-2020:1523-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    jasper-2.0.14-lp152.7.3.1
Comment 18 Carlos López 2022-06-10 13:08:55 UTC
Done, closing.