Bug 1011830 - (CVE-2016-9560) VUL-0: CVE-2016-9560: jasper: stack-based buffer overflow in jpc_tsfb_getbands2 (jpc_tsfb.c)
(CVE-2016-9560)
VUL-0: CVE-2016-9560: jasper: stack-based buffer overflow in jpc_tsfb_getband...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/176699/
CVSSv3:NVD:CVE-2016-9560:7.8:(AV:L/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-23 10:42 UTC by Mikhail Kasimov
Modified: 2019-12-03 15:38 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-11-23 10:42:30 UTC
Reference: http://seclists.org/oss-sec/2016/q4/473
=======================================================
Description:
jasper is an open-source initiative to provide a free software-based reference 
implementation of the codec specified in the JPEG-2000 Part-1 standard.

A crafted image, through an intensive fuzz on the 1.900.22 version revealed a 
stack overflow.

The complete ASan output:

# imginfo -f $FILE
warning: trailing garbage in marker segment (9 bytes)
warning: trailing garbage in marker segment (28 bytes)
warning: trailing garbage in marker segment (40 bytes)
warning: ignoring unknown marker segment (0xffee)
type = 0xffee (UNKNOWN); len = 23;1f 32 ff ff ff 00 10 00 3d 4d 00 01 32 ff 00 
e4 00 10 00 00 4f warning: trailing garbage in marker segment (14 bytes)
=================================================================
==9166==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7faf2e200c20 at pc 0x7faf320a985a bp 0x7ffd397b9b10 sp 0x7ffd397b9b08
WRITE of size 4 at 0x7faf2e200c20 thread T0
    #0 0x7faf320a9859 in jpc_tsfb_getbands2 /tmp/portage/media-
libs/jasper-1.900.22/work/jasper-1.900.22/src/libjasper/jpc/jpc_tsfb.c:227:16
    #1 0x7faf320a9009 in jpc_tsfb_getbands2 /tmp/portage/media-
libs/jasper-1.900.22/work/jasper-1.900.22/src/libjasper/jpc/jpc_tsfb.c:223:3
    #2 0x7faf320a8b9f in jpc_tsfb_getbands /tmp/portage/media-
libs/jasper-1.900.22/work/jasper-1.900.22/src/libjasper/jpc/jpc_tsfb.c:187:3
    #3 0x7faf3200eaa6 in jpc_dec_tileinit /tmp/portage/media-
libs/jasper-1.900.22/work/jasper-1.900.22/src/libjasper/jpc/jpc_dec.c:714:4
    #4 0x7faf3200eaa6 in jpc_dec_process_sod /tmp/portage/media-
libs/jasper-1.900.22/work/jasper-1.900.22/src/libjasper/jpc/jpc_dec.c:560
    #5 0x7faf3201c1c3 in jpc_dec_decode /tmp/portage/media-
libs/jasper-1.900.22/work/jasper-1.900.22/src/libjasper/jpc/jpc_dec.c:391:10
    #6 0x7faf3201c1c3 in jpc_decode /tmp/portage/media-
libs/jasper-1.900.22/work/jasper-1.900.22/src/libjasper/jpc/jpc_dec.c:255
    #7 0x7faf31f7e684 in jas_image_decode /tmp/portage/media-
libs/jasper-1.900.22/work/jasper-1.900.22/src/libjasper/base/jas_image.c:406:16
    #8 0x509c9a in main /tmp/portage/media-
libs/jasper-1.900.22/work/jasper-1.900.22/src/appl/imginfo.c:203:16
    #9 0x7faf3108761f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #10 0x419988 in _init (/usr/bin/imginfo+0x419988)

Address 0x7faf2e200c20 is located in stack of thread T0 at offset 3104 in 
frame
    #0 0x7faf3200dbbf in jpc_dec_process_sod /tmp/portage/media-
libs/jasper-1.900.22/work/jasper-1.900.22/src/libjasper/jpc/jpc_dec.c:544

  This frame has 1 object(s):
    [32, 3104) 'bnds.i' 0x0ff665c38180: 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 f3 
f3 f3 f3
  0x0ff665c38190: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff665c381a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff665c381b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff665c381c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff665c381d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9166==ABORTING

Affected version:
1.900.22

Fixed version:
1.900.30

Commit fix:
https://github.com/mdadams/jasper/commit/1abc2e5a401a4bf1d5ca4df91358ce5df111f495

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00047-jasper-stackoverflow-jpc_tsfb_getbands2

Timeline:
2016-11-09: bug discovered and reported to upstream
2016-11-20: upstream released a patch
2016-11-20: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/11/20/jasper-stack-based-buffer-overflow-in-jpc_tsfb_getbands2-jpc_tsfb-c

-- 
Agostino Sarubbo
Gentoo Linux Developer
=======================================================
Comment 1 Swamp Workflow Management 2016-11-23 23:00:58 UTC
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2017-01-08 16:08:01 UTC
SUSE-SU-2017:0084-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1010977,1010979,1011830,1012530,1015993
CVE References: CVE-2016-8654,CVE-2016-9395,CVE-2016-9398,CVE-2016-9560,CVE-2016-9591
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    jasper-1.900.14-184.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    jasper-1.900.14-184.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    jasper-1.900.14-184.1
SUSE Linux Enterprise Server 12-SP2 (src):    jasper-1.900.14-184.1
SUSE Linux Enterprise Server 12-SP1 (src):    jasper-1.900.14-184.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    jasper-1.900.14-184.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    jasper-1.900.14-184.1
Comment 3 Swamp Workflow Management 2017-01-10 18:08:43 UTC
openSUSE-SU-2017:0101-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1010977,1010979,1011830,1012530,1015993
CVE References: CVE-2016-8654,CVE-2016-9395,CVE-2016-9398,CVE-2016-9560,CVE-2016-9591
Sources used:
openSUSE Leap 42.2 (src):    jasper-1.900.14-170.1
openSUSE Leap 42.1 (src):    jasper-1.900.14-170.1
Comment 4 Swamp Workflow Management 2017-04-05 19:09:13 UTC
SUSE-SU-2017:0946-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1010977,1010979,1011830,1012530,1015400,1015993,1018088,1020353,1021868,1029497
CVE References: CVE-2016-10251,CVE-2016-8654,CVE-2016-9395,CVE-2016-9398,CVE-2016-9560,CVE-2016-9583,CVE-2016-9591,CVE-2016-9600,CVE-2017-5498,CVE-2017-6850
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    jasper-1.900.14-134.32.1
SUSE Linux Enterprise Server 11-SP4 (src):    jasper-1.900.14-134.32.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    jasper-1.900.14-134.32.1
Comment 5 Swamp Workflow Management 2017-07-25 13:27:32 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-08-08.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63789
Comment 6 Marcus Meissner 2019-11-02 20:03:33 UTC
released