Bugzilla – Bug 1020451
VUL-1: CVE-2017-5499,CVE-2017-5500,CVE-2017-5501,CVE-2017-5502: jasper: multiple crashes with UBSAN
Last modified: 2020-12-22 08:46:59 UTC
Ref: [1] http://seclists.org/oss-sec/2017/q1/101 ============================================== escription: jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard. With the undefined behavior sanitizer enabled, jasper crashes showing some left shift and some signed integer overflow. Affected version / Tested on: 1.900.17 Fixed version: N/A Commit fix: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00017-jasper-leftshift-jas_math_h Relevant part of the stacktrace: # imginfo -f $FILE /tmp/portage/media- libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/include/jasper/jas_math.h:156:11: runtime error: left shift of negative value -185 ################################################# Affected version / Tested on: 1.900.17 Fixed version: N/A Commit fix: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00018-jasper-signedintoverflow-jpc_dec_c Relevant part of the stacktrace: # imginfo -f $FILE /tmp/portage/media- libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1838:9: runtime error: signed integer overflow: -64356352 * 6359082673847140352 cannot be represented in type 'long' ################################################# Affected version / Tested on: 1.900.17 Fixed version: N/A Commit fix: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00019-jasper-leftshift-jpc_dec_c Relevant part of the stacktrace: # imginfo -f $FILE /tmp/portage/media- libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1819:40: runtime error: shift exponent 117 is too large for 64-bit type 'jpc_fix_t' (aka 'long') ################################################# Affected version / Tested on: 1.900.17 Fixed version: N/A Commit fix: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00022-jasper-signedintoverflow-jpc_tsfb_c Relevant part of the stacktrace: # imginfo -f $FILE /tmp/portage/media- libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_tsfb.c:233:35: runtime error: signed integer overflow: 2013306369 + 251691968 cannot be represented in type 'int' ################################################# Affected version / Tested on: 1.900.17 Fixed version: N/A Commit fix: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00030-jasper-leftshift-jp2_dec_c Relevant part of the stacktrace: # imginfo -f $FILE /tmp/portage/media- libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jp2/jp2_dec.c:485:49: runtime error: left shift of negative value -26 Credit: These bugs were discovered by Agostino Sarubbo of Gentoo. Timeline: 2016-10-28: bug discovered and reported to upstream 2017-01-16: blog post about the issues Note: These bugs were found with American Fuzzy Lop. Permalink: http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/ -- Agostino ============================================== CVE assignment: [2] http://seclists.org/oss-sec/2017/q1/106 [3] https://software.opensuse.org/package/jasper Although here jasper ver. is 1.900.14, it can also be vulnerable.
bugbot adjusting priority
CVE-CVE-2017-5498 is already handled in #1020353
Regarding libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_tsfb.c:233 The issue can only be reproduced if jasper is compiled with '-fsanitize=undefined'. In all of our codestreams the reproducer causes the following assertion: imginfo: jpc_t1cod.c:144: JPC_NOMINALGAIN: Assertion `qmfbid == 0x01' failed. So this can be seen as a possible denial of service. In the current upstream release of jasper the reproducer terminates programmatical error instead: maximum number of samples exceeded (11223956736 > 67108864) error: cannot decode code stream cannot load image The related upstream commit might be this one: https://github.com/mdadams/jasper/commit/5185cb13 But there have been multiple similar commits for different decoders.
Regarding libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1819 The issue can only be reproduced if jasper is compiled with '-fsanitize=undefined'. In all of our codestreams the reproducer causes the following assertion: imginfo: jpc_dec.c:1829: jpc_dequantize: Assertion `absstepsize >= 0' failed. So this can be seen as a possible denial of service. In the current upstream release of jasper the reproducer terminates with a programmatical error instead: warning: component data type mismatch error: no COLR box cannot load image I couldn't find a related upstream commit for this. I think the function where this is happening is `jpc_calcabsstepsize()` and nothing was changed there. As this is also a bit shifting issues my findings from bug 1020353 may also be valid.
Regarding libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jp2/jp2_dec.c:485 The issue can only be reproduced if jasper is compiled with '-fsanitize=undefined'. In all of our codestreams the reproducer causes a SIGABRT with no output. So this can be seen as a possible denial of service. However, the current upstream code of jasper also simply aborts in this case. It seems nothing was fixed yet. The related code seems to be in function jp2_validate() which hasn't been changed upstream since the issue being reported.
Regarding libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1838 The issue can only be reproduced if jasper is compiled with '-fsanitize=undefined'. In all of our codestreams the reproducer causes the following assertion: imginfo: jpc_dec.c:1829: jpc_dequantize: Assertion `absstepsize >= 0' failed. So this can be seen as a possible denial of service. In the current upstream release of jasper the reproducer terminates with a programmatical error instead: error: missing IHDR box cannot load image Teh related upstream commit might be this one: https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a My findings from bug 1020353 regarding the bit shifting operations probably apply here, too.
Fix https://github.com/jasper-software/jasper/commit/8c4e99592e7da53a9de2934bc7781535d0e0595d jasper-CVE-2017-5499.patch in home:mvetter:jasper-cves. Will submit once more issues are fixed.
SUSE-SU-2020:2690-1: An update that fixes 17 vulnerabilities is now available. Category: security (low) Bug References: 1010786,1010979,1010980,1011829,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1092115,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9397,CVE-2016-9398,CVE-2016-9399,CVE-2016-9557,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9154,CVE-2018-9252 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): jasper-1.900.14-195.22.1 SUSE Linux Enterprise Server 12-SP5 (src): jasper-1.900.14-195.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2689-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 JIRA References: Sources used: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): jasper-2.0.14-3.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): jasper-2.0.14-3.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Fixed in all supported code streams.
openSUSE-SU-2020:1517-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 JIRA References: Sources used: openSUSE Leap 15.1 (src): jasper-2.0.14-lp151.4.9.1
openSUSE-SU-2020:1523-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807 CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252 JIRA References: Sources used: openSUSE Leap 15.2 (src): jasper-2.0.14-lp152.7.3.1